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GLOSSARY OF ACRONYMS AND ABBREVIATIONS 


Note. Where appropriate, acronyms and abbreviations used herein conform to FAA-aooroved 
juonyms as used in me Airman's Information Manual and other regulator/ and advisory material 

^Sl£r a<1 ° nS f ° r C0Ckp '' deViC « b >' spec.flfmanaW-turersri'n™^ 


Abbreviation for “aircraft”. 

ARINC iqv) Communications and Address Reporting system 
Automated En Route Air Traffic Control, the FAA’s advanced ATC system concent 

Ra ^°- provides data Warding services for air carried 

Aircra.1t System Controller (McDonnell-Douglas MEM 1). 

Airport Surface Detection Equipment (radar). 

bi^N AS R A ftSAA SyStem ' S VOta " ta -' y ’ co " fid "" ial reporting 

1 ^^^organiaadon. 

Certral air data computer. 

S;”uS d 4&^. fi ' Sh, mana * Cm ' M SySKm * luman * s ys*eni interface. 
Cathode ray tube. 

Ctckpit voice recorder. 

KfL r J;!^ l ™ M * urin S«l l “Pn»nt, an element in the common navigation system 
°°** a na " gan0n SySKm maklng usc °f Doppler rada/to senre of change 


AC 

ACARS 

AERA 

ARINC 

ASC 

ASDE 

ASRS 

ATA 

ATC 

CADC 

CDU 

CFTT 

CRT 

CVR 


E-MACS 

EAD 

ECAM 

EEC 

EGT 

EICAS 

ESPRIT 


F-PLN 

FAA 

FADEC 

FMC 

FMS 

GPS 

GPWS 

GS 


HSI 

ILS 

LNTC 


Engine Monitoring and Control System (ref 61). 

Engine and Alert Display (McDonnell-Douglas MD-1 1). 

p 2?!?“^ Ai^^Monitoring System (Airbus Industrie A3 10, A3 20) 

Electronic Engine Controller (Boeing 757/767). 

Exhaust gas temperature. 

1 “i? ak ? in S s y stem (Boeing 757/76^, 747-400, 777) 

wSonTSL^ P ' a ” S ““* iC ProgIam fOT Resealch and Development in 

Abbreviation for “flight plan”. 

Federal Aviation Administration. 

Full authority digital engine controller. 

Flight management computer. 

Flight management system 

Global positioning system, a satellite-based navigation system 
Ground proximity warning system. 

Glide slope, the vertical path generated by a surface transmitter for instrument 
approaches, an element of the instrument landing system. 

Horizontal situation indicator, either electromechanical or glass cockpit display. 

s yj tem » consisting of localizer and glide slope transmitters on the 
^ S0 / S ^ t0 desc T lbe m approach conducted using H.S guidance 
Aobreviation for “intersection”, a waypoint in a navigation plan. 


1 


e r 


t 


* 


INS 

rvsi 


KLM 

LAF 

LCD 

LOC 

LORAN 


MCP 

MITRE 

MLS 

NASA 

NTSB 

PERF 

PFD 

QRH 

RMI 

RNAV 

SAS 

SID 

STAR 

TCAS 

UHF 

VHF 

VOR 


'■<fni.WUM.jlu I 


Inertial navigation system, an airborne system of gyroscopes ?nd accelerometers that 
keeps track of aircraft movement in three spatial axes. 

Instantaneous vertical speed indicator, an electromechanical irstnmxmt using air data i 

quickened by acceleration data; also the display of such information on a primary flight 
display ir. a glass cockpit aircraft. 

Royal Dutch Airlines. 

Load Alleviation Function (Airbus Industrie A320), automation that acts on wing 
control surfaces to smooth the effect of gusts in flight 
Liquid crystal display. 

Localizer, a surface transmitter that delineates a path to an instrument runway; a 
component of the ILS. Also, the path so delineated. 

Long-range navigation system, ground-based low-frequency radio aids providing 
triangulation-based position derivation for aircraft and surface vehicles. 

Mode control panel: the tactical control panel for the autoflig.it system; almost always 
located centrally at the top of the aircraft instrument panel. 

MITRE Corporation, an engineering firm that conducts systems analyses and provides 
engineering technical support and guidance to the FAA, Department of Defense and 
others. 

Microwave landing system, a high-precision landing aid which provides the capability 
for curved as well as straight-in approaches to a runway, and conveys certain other 
advantages. The system is in advanced development and verification testing by FAA. 

National Aeronautics and Space Administration. 

National Transportation Safety Board. 

Abbreviation for “performance”. 

Primary flight display, usually electronic. 

Quick reference handbook, a booklet containing aircraft operating procedures, 
especially abnormal and emergency procedures. 

Radio magnetic indicator, an electromechanical instrument showing magnetic heading 
and bearing to VOR or low frequency nondirection al radio beacons. 

Area navigation system, a generic acronym for any device wliich is capable of aircraft 
guidance between pilot-defined waypoints. 

Scandinavian Airlines System. 

Standard instrument departure procedure. 

Standard arrival route, like SID, an FAA-approved arrival route and procedure. 

Traffic alert and collision avokLuice system. 

Ultra-high frequency, a portion of the electromagnetic spectrum used for aeronautical 
communications and navigation. 

Very high frequency, a portion of the electromagnetic spectrum used for aeronautical 
communications and navigation. 

Very high frequency Omnidirectional Range, a surface, radio navigation beacon 
transmitter which forms the core of the common short-range navigation system for 
aircraft. 
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INTRODUCTION 


The purposes of this document are to examine aircraft automation and its effects on the 
. ® <iVIor °* crews ’ and t0 propose guidelines for the design and use of automation in 

nanspon aircraft, in order to stimulate increased dialogue between designers of aircraft, automation 

? e n )pCm ° n and pil0tS ‘ Tne S oa] is » explore ** means by wSh autoSon 
w<m be nude a more effective tool or resource for pilots without compromising, and hopefully with 

av il UOn SyStem safet > Human i'- the dominant cause of aircraTaccSems 
.. .cst o. these act-ia^nts are avoidable. The most imp* rtant purpose automation ran serve is to 
make the aviation system more error resistant and more error toierant. 

Automation at some level has been applied to aircraft since before World War I (ref 1) It has 

teen an invaluable aid to pilots flying special missions from 1930 onward. On juiv 24 1933 the 
New \ork Times rennrt no nn Dnct’r ;..o, i-.-j «•_. . . 7 ’ *r. ’ U1C 


,“2r. , ;r; y* I«ii6-ui»uuiw avxaaun... t-ommercia; riymg in the future 

transport since in and dvil air 


.nri “on principles incorporating automated devices that assist in flight path 

g hav ? ma ? e lt ? asible to certif >' “d operate complex transport aircraft 
safely wiJi a crew of two rather than three persons, jusi as the development of automated area 
navigation systems (Doppler, INS, LORAN) had replaced the navigator some years before and 
oTtte'p^.T *? ra&o ccmmuracations had supplanted the radio operator still earlier. The report 
ofthe Pft&ufcnt s .ask Force on Aircraft Crew Complement stated, “We believe that froman 
aircraft systems standpoint the level of safety achieved by the B-757, B-767, and A-310 might be 
even higher than that achieved in present-generation aircraft as a result of the increased 
redundancy, reliability and improved information that are to be provided the flight crews through 
more extensive use of digital avionics and cathode ray tube (CRT) displays” (ref.3). g 

More recently, aircraft have been introduced with fly-by-wire control systems incorooratinc 
envelope protection that prevents pilots from flying outside a predetemhnSTigte^doi 2 
advanced flight management systems that automate navigation and flight path management and 
automatea suosystems management computers that relieve the crew of esseSy aTroudne 
management tasks. Indeed, the McDonnell -Douglas MB-1 1, now entering service 
reconfigures aircraft subsystems automatically after certain hardware failures, reducing ftight^w 
involvement m subsystems management still further (ref 4). The MD-1 1 also attempts to mferThe 
intentions of the pilots m certain flight regimes and adjusts aircraft and Se piTmeters 

7 - 7 VnJ 0 ^ 01 ™ Wnk - £C ,mended °P eradr, S procedures for those phases of flight. The 
Boeing 7 / 7, now^in design, ana o- r new aircraft may incorporate electronic libraries which wall 
automate much Oi the miormatioi; management now performed manually (ref. 5). 

automated aircraft have teen in service for ten years, during which time 

hav^' Tu lle r S ' a f CS aiT »ansport have remained level except for secula/variation, or 
a e declined. The President s Task Force in 1981 commented that “the increased use of 
automation on the DC-9-80 has led to a change in the number, but not the nar^ of the mks that 
performs comparer to the DC-9-50. The role of the pilot is unchanged” (ref 3) There is 
certainly no evidence that transport flying has become less safe since the introduction of Si v 
automated aircrait, and there is some evidence that safety has improved. What, then is the 
problem that motivates this document? And why, in the face of this safety record has the Air 
Transport A s s < xianori (ATA) of America cited aircraft automation as the first element in its; 
National Plan to Enhance Aviation -tv through Human Factors Improvements" (ref 6)° 
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Although accident rates have been stable or h 5 ve declined during the past two decades, 
evaluation of individual accident and incident reports reveals two contrary trends. First, there has 
been a sharp decline in accidents caused by controlled flight into terrain (CFIT) since the 
introduction of ground proximity warning systems (GFWS) into transport aircraft in 1975. There 
■ s sorn *f evu * ei ?, ce t J? at CFTT accidents have been replaced by incidents involving “controlled flight 
toward terrain (ref. 7), but it appears that the Congressionaily-mandated introduction of automated 
. *rrain proximity sensors and alerting systems has been largely successful in preventing most 
accidents of this type in aircraft of the nations that require GF’WS. 

The success of GFWS has been one of several factors that has motivated the U.S. Congress 
tc require the installation, during the next two years, of wind shear alerting devices and collision 
avoidance systems in transport aircraft (refs. 8 and 9). Like GPWS, these devices can detect 
v-ondi jons that may not be obvious to human pilots. Also like GFWS, these devices are advisory 

in nature; they alert pilots to the presence of a problem, but do not perform avoidance maneuvers at 
tixi s tunc > 

There is a contrary trend, however. Several aircraft accidents and a larger number of incidents 
have been associated with, and in some cases appear to have been caused by, aircraft automation 
or, more accurately, by the interaction between the human operators and the automation in the 
i cases - a n» n g them a Northwest MD-82 at Detroit (ref. 10) and a Delta B727 at 

Dallas yref. 1 1 ). automated configuration warning devices failed or were rendered inoperative. In 

an A rf IOrrk ; X!CO , Rp* 0 on departure from Frankfurt (ref. 12) and an Indian Airlines 
A320 landing at Bangalore (ref. 13), automation has operated in accordance with its design, but in 
a mode incompatible with safe flight under particular circumstances. In still other cases, automated 
devices have not warned, or night crews have not detected, that the devices were operating at their 
ami s, as m the China Airlines 74*7 accident offshore from San Francisco (ref. 14), or were 
operating umeuably, as in the SAS DC' 10 landing accident at New York (ref. 15). 

• r i?fj a inc | i dcrit reports also suggest that automated information systems, originallv 
installed as backup devices for pilots, have become de facto primary alerting devices after periods 
of dependable service. These devices were originally prescribed as a “second line of defense” to 
warn pilots when they had missed a procedure or checklist item. Altitude alerting devices and 
configuration warning devices are prime examples (ref. 16). In the Northwest and Delta accidents 
mentioned abeve, *e flight crews should have, but apparently did not, check the configuration of 
them aircraft before takeoff as their procedures required. The automated warning systems failed to 
warn them that they had not performed these checks. In these cases, the presence of (and reliance 
~uaUy reliable automation may have affected the mind-sets and behaviors of the pilots being 

Accidents and incidents associated with or caused, in whole or in pan, by automation 
constitute a new class of potentially preventable mishaps in transport aviation. As «uch they 
represent a new threat to safety, the paramount concern of the aviation industry. It is estimated that 
passenger enplanements will increase 75% by the turn of the century (ref. 17). It is not enough to 
main tarn accident rates at any non-zero level in the face of our current surge in air transport activity- 
the number of highly publicized, enormously expensive accidents will rise unless rates can be 
reduced father. It is for this reason that the ATA’s National Plan stated that “During the 1970’s 
and early 1980 s...tbe concept of automating as much as possible was considered appropriate. 
The expected benefits were a reduction in pilot workload and increased safety... Although many of 
these benefits have been realized, senous questions have arisen and incidents/ai jidents have 

a? wJvc wmch 9 ucstlon , 1 underlying assumption that the maximum available automation is 
ALWAYS appropriate or that we understand how to design automated systems so that they are fullv 
compatible with the capabilities and limitations of the humans in the system.” y 

. . ^ ^ TA . rcp f£ t <fi, sc ; isscd specific issues, and went on to say, “The fundamental concern i« 
the lack of a scientifically based philosophy of automation which describes the circumstances under 
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which tasks are appropriately allocated to the machine and/or the pilot.” The report then defined an 
approach 10 this domain, which in large part has been the motivation for this document. 

To summarize: if there is a perceived problem, there is probably a real problem Whether it is 
precisely the problem that is perceived is often susceptible to analysis but may be of little 
importance in the ion fc run. The aviation community clearly perceives that automation convey-! 
important benefits, but it also perceives in automation a potential threat to air safety Most 
automation-related mishaps may be preventable, ji st 3s most accidents involving human factors are 
preventable. We must therefore try by even' means at our command to prevent them. 

, . ** automation is required, there must be an intemally-consistent philosophy to govern fis 
resign ana application. Accident, incident (ref. 18), and field study (ref. 19) data indicate that the 
concerns of the aviation community (ref. 6) are well-founded— that automation conveys important 
benefits but that it can also pose new problems. We suggest a concept for a philosophy of human- 
centered automation and will attempt herein to define its elements in terras of what is known about 
human behavior and air transport operations. 

This paper does not purport to be a designer’s handbook. We have not attempted to cover in 
any detail the myriad details of human factors engineering that determine how a cockpit should be 
designed once a designer has determined what that cockpit should contain. Rather, we attempt to 
suggest questions that should be answered before beginning the design of the automation suite for 
an advanced-technology aircraft. The report is aimed primarily at three groups: cockpit designers 
purchasers of automated aircraft and the pilots who must fly' them in line operations. They are 
t ought o., respectively, as the creators, purchasers and end users of advanced aircraft automation. 
To be effective, automation must meet the legitimate needs and constraints of each of these groups. 

It is hoped that this document will provoke discussion within our community about what 
automation should be like m future aircraft: what roles automation should play in future aircraft 
how much authority it should have, how it will interact with the human operator, and what, if anv 
roles should be reserved for the human. We draws extensively on the automation of today’ 
without in any sense intending to be critical of the enormously capable aircraft now being flown 
safely in our aviauon system. But the pertect design has never existed and probably never will- too 
many tradeoffs must oe made, in the course of the design process, and automation design involves 
complex and imprecisely understood interactions between human cognition and sophisticated 
information processing machines. v 

... 1,1 fir5! section of this paper we define some terms, look briefly at the development of pilot 
aiding devices, then present our concept of human-centered automation and of the role of the 
human in highly automated systems. In the second section we examine in more detail various 
lands of aircraft automation that have been used to date in an effon to discern what has worked 
well, what has worked less well, and why. We also examine trends in automation that may be 
applied m aircraft in the near-term future in order to identify issues that may arise from its 
implementation. In the third section we look at the environment in which new automation will be 
introduce.- and used, and the people who will use it, to determine factors that may interact 
favorably or unfavorably, with that automation. In the fourth section we review guidelines that 
have been proposed in the past and suggest desirable attributes for present and future automation. 
The final section is devoted to a more detailed discussion of suggested guidelines for the 
application of human-centered aircraft automation. An appendix provides brief descriptions of 
aircraft nushaps cited in the text. K 

pie style of presentation is essentially didactic, though we attempt to explain the basis for our 
conclusions. Automation is an art as much as a science, just as architecture is an art as well as an 
engineering discipline. It cannot be approached from the standpoint of pure reason, nor can we 
make the mistake of believing that there is but one best way to design, construct or ^ven o^rare 
automated devices. Many elements of this document are therefore arguable, but we suggest that 


iU ' P,ing ,b ° m ' h ' m W ‘ U " iBClf us closer oaT * M| of rfftoiw. 

pro ? uc! of , 35 ycars of ob3CTvin S and worUng wiih pilols, operator, air 
^ ° ntr,J * lcrs and ^ TCT * fl manufacturers to try to build a safer national aviation system It is 
Kri!' tbts^ report will be perceived as useful by the community whose guidance and 
•O-bearance over a long period of time made its creation possible. 


Charles E. Billings 
August, 1991 
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I: CONCEPTS 

Assumptions and Definitions 
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„f he A ,] A Hurr ‘ an Factors Task Force states in its 1989 report “This vlan assume that 
humane wiL continue to manage and direct the National Aviation System through the v*ar~20 » 0 
Tne pilot ana the controller will both be integral pans of the air and ground system A u»oimti , m 

JESSfe* dts '* red ,0 assisl *" d *• — £ 


nrwl“!rf"' as USed he !? in ’ r ^ fers t0 *>’"«» or merfod in ivAicA ^ of the processes of 

t 0T Z d 0T C °r oUed b> ™NJs. electronic 

rZuS ! H S ; concern is witft aircraft automation specifically, though we will discuss 
mhtr demon., of the avtadon system insofar as they impact to aircraft and dte We £ ™ 
because the aircraft is the device managed or controlled in the aviation system regardless of how 
that control, s exercised or where the locus of control may be. Even remoteh’conTOliti ZZZ 
nS * ^ conCrolIed , or man aged by a pilot; the automation through which the task is performed 
.■ZJf'c °s f o, ratC ennre,y auton °mously, and the automation, we would argue, must sdl) be human- 
centeied if the system ts to operate effectively. We do not constder atr traffic comml excSt tnShr 
as it influences the management and control of aircraft. ^ 

By human-centered automation, ” we mean automation designed io work cooperatively with 
human operators in the pursuit of stated objectives. We consider Lio^tioX^ T^l or 
resource— a device, system or method by which the human can accomplish some task that miehr 
?n w 1S H e b ? difflc 1 ult , 0r ^possible, or which the human can direcTre ^nore oTllsl 

‘W” ? eny a ^ Sk f 131 W i° uld otherwise require increased human attentions effort The word 
tool does not foreclose the possibility that the too! may have some degree of ^Sligence’- 

some capacity to learn and then to proceed independently to accomplisbia task. Automation is 

y one 0l **»?>' resources available to the human operator, who retains the responsibility for 
management and direction of the automation and the overall system. responsibility for 

The Piloting Domain 


We conceptualize piloting as the use by a human operator of a vehicle (an aircrafts in 
*n^!5? S th a H\ lsslon ( }° move Passengers and cargo between two points) (fig. 1). Rouse (ref 
’ L -' i Slgn ob J ecD ^ :> should be to support humans to achieve the operational objectives 

jor which they are responsible. From this perspective, the purpose of a pilot is Sffi 

s?aEfin^ of 



The mission requires more-or-less 
simultaneous accomplishment of five 
categories of functions / inner-loop control of 
aitplane attitude and state, control of the flight 
path m three dimensions, management of 
airplane position, management of its systems, 
and maintenance of communications with the 
entities responsible for its movements. Eacn 
of the.se functions may be decomposed into a 
number of tasks, which may sometimes 
involve several sub tasks. Tasks (many of 
which may be carried out either by humans or 
by machines) are performed utilizing a 
combination of resources. 
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The resources available to the pilot include his or her own perceptual, cognitive and 
psvchomotor skills, the knowledge and skills of other flight and cabin crewmembers, the 
know-ledge and information possessed by other persons with whom the pilot may be able to 
communicate, and a variety of inform don sources and control devices, including the automated 
devices, within the aircraft. These resources are controlled and managed by a pilot in command, 
who is ultimately responsible for safe mission accomplislument. 

Control and management of an aircraft may be viewed as a senes of levels, which are categorized 
by the degree of direct or immediate involvement of the pilot (rig 2). 



Figure 2: Pilot control and management continuvm 

Development of Pilot Aiding Devices 

Not all of the functions required for mission accomplishment in today’s complex aircraft are 
within the capabilities of the unaided human operator, who lacks the sensory capacity to detect 
much of the information required for flight and who is unable to make certain decisions or take 
actions based on them within the rime available for accomplishment of certain critical tasks. In the 
early days of aviation, the pilot set forth unaided, with only human perceptual capabilities to 
provide necessary information. It was soon discovered that the e were insufficient, and aircraft 
sensors and instruments were developed to augment the limited human capabilities. 

Even before the first powered flight in 1903, aircraft designers had recognized the instability 
of their machines and had begun to work toward providing pilots with assistance in controlling the 
vehicles. The Wrights worked toward development of a stability augmentation device in 1907 (fig. 
3); they were preceded by Sir Hiram Maxim, who patented the first such device in 1891 (ref. 21). 
Orville Wright was awarded the Collier Trophy in 191 3 for a demonstration of hands-off flight 
using an automatic stabilizer. By the 1930s, autopilots were considered essential for long-distance 
flying. The introduction of retractable landing gear was accompanied by a requirement for 
configuration warning systems. The introduction of four-engine aircraft Jed to the development of 
automatic propeller synchronizing devices. Some World War I! aircraft were difficult to control if 
an engine failed on takeoff; automatic propeller feathering devices were consequently introduced 
for these aircraft. The development of improved electronics led to the capability for automatic 
navigation. The introduction of digital computers enabled th lesign of on-board flight and 
performance management systems and, later, of tailored flight control systems. 
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Figure 3: A brief ehronolog of aircraft automation 

Since shortly after World War II, nearly all transport aircraft have made extensive use of 
automated devices to assist and augment the capabilities of the flight crew. The advent of turbojet 
transports during the 1950s introduced new requirements for automation. These aircraft were 
considerably faster than their predecessors, and were less aerodynaniically stable. The requirement 
for very precise control, paroculaily during approach tc landing, ied to the development of new 
classes of pilot aids including flight directors, expanded and quickened displays, and stability 
augmentation devices. 

The demands on the pilot— vehicle system became progressively greater, both in the area of 
precision navigation and in requirements for more reliable all-weather operation. Precision 
navigation over land was enabled by the introduction of very high frequency (VHP) 
omnidirectional range systems (VOR) and, later, distance measuring equipment (DMJE). Long- 
range navigation over water was immeasurably aided by the development of area navigation 
systems — first Doppler, later inertial navigation devices that freed aircraft fro* 1 , dependence on 
ground radio aids. Precision approach aids, primarily instrument landing systems (ILS) and 
improved approach and touchdown zone lighting were introduced. Static-free VHF 
communications equipment became standard for short-range radio communications. 

The development of compact solid-state electronics made it possible to accomplish much more 
computation within the aircraft. Contemporary aircraft may contain well over 100 computers and 
microprocessors, which assist in the control of aircraft state and energies, flight path management 
and aircraft systems management. They may also assist cabin crew in certain of their duties. 
Flight and performance management computers perform most tactical navigation chores; 
sophisticated digital autopilots, interfaced with the flight management systems, control aircraft 
attitude and thrust from takeoff to landing roll-out. Electronic flight displays are managed by 
computers, as are the detection and monitoring of aircraft state and system parameters. In the 
newest vehicles, aircraft systems management has also been increasingly automated (refs. 4, 22 
and 23). 
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Figure 4: Increasing complexity cf aircraft automation 

The introduction of these automated devices and system; has improved system performance 
and has considerably simplified certain aspects of the piloting task, but it has also increased 
complexity in the cockpit (ref. 21). The versatility of contemporary autopilots nas provided the 
pnot with many more modes of operation by which the aircraft can be controlled precisely, but it 
also requires that the pilot remain apprised of much more information about the automated systems 
(fig. 4). Contemporary flight management systems relieve the pilot of routine navigation chores 
but also require pilots to perform new programming and management tasks and to monitor system 
performance more closely. New displays have enabled the presentation of much more information 
regarding aircraft systems, state, and environmental factors, but they have also considerably 
increased the human operator s information processing load. 

These trends toward more information, greater complexity, and more automatic aircraft 
operation have the potential to isolate the pilot from the vehicle and to decrease his or her 
awareness of the state and situation of the aircraft or system being controlled (ref. 24). This can 
occur either because of information overload, leading to channeling of attention and failure to 
perceive all relevant information, or because redundant perceptual cues have been reduced. It has 
become necessary’ to ask whether the richness of the information supplied to the pilot and the 
complexity of the automation (or at least its perceived complexity, from the viewpoint of the pilot) 
makes it less likely that the pilot will remain fully in command of the situation. 

Humans cannot assimilate very large amounts of raw information in a short period of time, 
nor can they handle tasks of great complexity under tight time constraints. A major objective of 
this document is to facilitate discussion of how much information or complexity is too much. 
Another is to explore how increasingly complex information processing and control tasks can be 
simplified so as to remain within the capabilities of the persons who must perform them. 
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A tliird objective is to consider how much automation is necessary, and why. If systems are 
sufficiently simple (ar.d this should always be a design goal), automation may not be needed. If 
tasks cannot *e simplified, or are so time -critical that humans may be unable to perform them 
effectively, automation must be utilized. Even then, simpler automation will permit simpler 
interfaces and better human understanding of the automated systems. In particular, the structure or 
architecture of automation tools must be simple enough to permit them to be effectivelv managed 
by the human operator (fig. 5). 



Figure 5: A construct of aircraft automation 

A Concept of Human-Centered Automation 

Human -centered automation is a systems concept. Its focus is a suite of automated systems 
designed to assist a human operator/controller/manager to accomplish his or her responsibilities. 
The quality and effectiveness of the puot— automation system is a function of the degree to which 
the combined system takes advantage of the strengths and compensates for the weaknesses of both 
elements. To bound this concept, a fully autonomous, robotic system is not human-centered, by 
definition. The human has no critical role in such a system once it is designed. Conversely a 
fully manual system contains no automation. None of today’s complex human-machine systems 
is at either extreme, however; nearly all provide automatic devices to assist the human in 
performing a defined set of tasks, and reserve certain functions solely for the human operator. Our 
concern is with these partially automated systems in which humans play a central and in the case 
of aviation, a commanding, role. 

The Role of the Human in Highly Automated Systems 

We have already inferred that current aircraft automation is able to perform nearly all of the 
continuous control tasks and most of the discrete tasks required to accomplish a mission. Why. 
then, is the human needed in such a system? Could automation to accomplish the rest of the tasks 
no; be constructed? Would it not be easier and even cheapei to design highly reliable automata that 
could do the entire job without worrying about accommodating a human operator? 
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Under optimal circumstances, the “mechanical tasks” of getting an aircraft from one point to 
another could be accomplished automatically. The aviation system, however, is not an optimal, 
fully controlled system. Many variables within that system are highly dynamic and not fully 
predictable (the severity and movement of weather systems are prime examples). Aircraft 
themselves, while very reliable, sometimes fail in unpredicted and unpredictable ways, as was seen 
in the catastrophic engine failure of a United Airlines DC- 10 at Sioux City in 1989 (ref. 25), the 
structural failure of a United 747 cargo door the same year (ref . 26), and the fuselage failure, of an 
Aloha Airlines 737 over Hawaii in 1989 (ref. 27). 

Automation can also fail in unpredictable ways. Minor system or procedural anomalies can 
cause unexpected effects that must be resolved in real time, as in an air traffic control breakdown in 
Atlanta terminal airspace in 1980 (ref 28). These effects are complex; some are poorly 
understood. Even if the effects themselves could be predicted and modelled, the computational 
engine that can cope with such state variability in real time has not been constructed. 

Though humans are far from perfect sensors, decision-makers and controllers, they possess 
three invaluable attributes. They are excellent detectors of signals in the midst of noise, they can 
reason effectively in the face of uncertainty, and they are capable of abstraction and conceptual 
organization. Humans thus provide to the aviation system a degree of flexibility that cannot now, 
and may never, be attained by computational systems. They can cope with failures not envisioned 
by aircraft and aviation system designers. They are intelligent : they possess tire ability to learn 
from experience and thus the ability to respond quickly and successfully to new situations. 
Computers cannot do this except in narrowly defined, well understood domains and situations 
(refs. 29 and 92). 

The abilities of humans to recognize and bound the expected, to cope with the unexpected, to 
innovate and to reason by analogy when previous experience does not cover a new problem are 
what has made the aviation system robust, for there are still many circumstances, especially in the 
weather domain, that are neither directly controllable nor fully predictable. Each of these uniquely 
human attributes is a compelling reason to retain the human in a central position in aircraft and in 
the aviation system. 


Principles of Human-Centered Automation 
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PREMISE. 

' r he pilot btare th# ultimate it^onobifty tor !t» safety of any fight operation 

AXIOM : 

Th« human operator must be in command 

QQRQLLAftltt 

To command effectively, the human operator must, be mvoived. 

To be invoked, the human operator mu* be informed. 

The human operator must be able to monitor the automated systems 
Automated systems must therefore be pred ksabte 
The automated systems must also be able to monitor the human operator 
Bach element of the system must have knowledge of the others' intent 

Figure 6: First principles of human -centered aircraft automation 


Figure 6 summarizes our view of 
human-centered aircraft automation. 
We assume that the human operator 
will continue to bear the ultimate 
responsibility for the safety of flight 
operations (ref. 6). Federal Aviation 
Regulations confer on the pilot in 
command essentially unlimited 
authority to permit him or her to fulfill 
this ultimate responsibility. This is 
axiomatic in civil aviation. We 
believe that certain corollaries devolve 
from this axiom. They are described 
briefly here and discussed in more 
detail ij\ the Guidelines (section V). 
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To command effectively, the human operator must be involved. 

in commar -d of a vehicle, operation, or situation, the commander mus v 
in olved in the operation. He or she must have an active role, whether that role is to control 
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To be involved, the human operator must be informed. 

Without information about the conduct of the operation, involvement becomes random 
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The human operator must be able to monitor the automated systems. 

The ability to monitor the automated systems is necessary both to permit the mint to 
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Automated systems must be predictable. 
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r | the h “ nl J n °i x ‘ ra, o f rapidly detect departures from normal beha.-ior and thus 
recognize failures in the automated systems. 

The automated systems must also be able to monitor the human operator. 

Humans, of course, are not infallible either, and their failures mav likewise h, 
unpredictable, although a good deal has been learned about human failure modes For that 
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tomated momtonng devices are in use in aviation today, but the availability of hiehlv 
C H om P uters WIth acc «s to much of the needed information m^es tt Vssibfe o 
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Each element of the system must hare knowledge of the others’ intent. 

Cross-monitoring can only be effective if the monitor understands what the oneramr cf 
the monitored system is trying to accomplish. To obtain the benefits of effective monitoHncr 

monilSa nS f° f thC f h ° r automated systems must be known; this applies '•ouallv to the’ 
SK? Sght y an$ ° n thC * POund ’ and ^ m( >retoring of am traffic contiS by 
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n: AUTOMATION: PAST, PRESENT AND FUTURE 


Introduction 

Ln this section we look at automation that has been used in the past. We discuss some of the 
ways in which automation has been characterized, using the functions that a pilot must perform as 
a base. We examine automated systems that have worked well and some that have not been as 
successful, and attempt to draw from these examples issues that need to be considered by 
designers and operators. Finally, we attempt to project current automation technology into the 
future in the hope of discerning new developments that may pose new or additional questions 
regarding the roles, functions and forms of automation technology in the next generations of 
aircraft. The emphasis is on forming the questions that should be considered in specifying and 
designing automated systems. Section 01 examines pertinent characteristics of the environments in 
which automation will be applied, and the people who must operate automated systems. 

Aircraft Functions 

The range of functions that an airplane can perform is really quite limited. An airplane, 
properly controlled, can move about on a prepared surface. It can depan from that surface and 
once above the earth, in the atmosphere, it has freedom of motion in all spatial axes. Finally, it can 
return under control to a precise area on the earth’s surface, land, and again move about on a 
prepared surface, coming to rest at a predetermined spot. All of the sophistication of current 
aircraft is devoted to insuring that this limited range of functions can be performed with complete 
reliability and safety. 

All aircraft controls and systems are devoted to the performance of this narrow range of 
functions. Fadden’s (ref. 30) taxonomy is very useful. Control automation assists or supplants a 
human pilot in guiding the airplane through the maneuvers necessary for their safe performance. If 
aircraft flew only under visual meteorological conditions over familiar routes between familiar 
airports, experienced pilots would need only very simple, straightforward automated devices to 
assist them in performing their missions. 

Control automation includes devices devoted to the operation of airc: aft subsystems, which 
are quite complex in modem aircraft. These systems control fuel, hydraulic power, alternating and 
direct current electrical power, pneumatic engine and anti-icing systems and pressurization, landing 
gear and brakes, and sometimes other functions. 

Much of the automation found in contemporary aircraft is not devoted to controlling the 
aircraft, but rather to informing the pilots about the airplane’s state and location and the location of 
real or imaginary sites on the surface of the earth. Fadden has called this “ information 
automation.” It includes all of the displays and avionics devoted to navigation and environmental 
surveillance, and also digital communications with air traffic control and airline operations. 
I' .formation automation is expanding rapidly at this point in time; the next generation of transport 
aircraft may incorporate electronic library systems containing much of the data now stored on 
board in hard-copy form. 

A third category can be added to this automation taxonomy, which one could cai! 
“management automation.” This term denotes automation which permits the pilot to manage the 
conduct of a mission. Roughly speaking, management automation permits the pilot to exercise 
strategic, rather than simply tactical, control over the performance of a mission. In this sense, 
management refers to goal-directed rather than function -directed behavior. The pilot establishes a 
set of goals; management automation directs control automation in the performance of the required 
functions and directs information automation to keep the pilot informed of the state of the airplane 
and of progress toward satisfying the specified goals. 
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Air Lines LlOi 1 that crashed m 'he Everglades did so because of a failure to maintain surveillance 
of the airplane’s night path while on autopilot (ref 31 ). A DC- S crashed at Portland after running 
out of fuel because the flight crew, was preoccupied with preparations for an emergency landing 
(ref. 32). Many “controlled flight into terrain” accidents have occurred because of failure or 
inability to maintain positional awareness. The worst accident in air carrier history', the collision of 
two 747s at Tenerife, occurred because of a failure to communicate unanibiguousiy (ref. 33). 

These three tasks are simple enough when decomposed, bui thev can create severe workload 
burdens when performed simultaneously under demanding conditions. Such conditions are often 
not of the flight crew’s making; figure 7 indicates that there are open- loop forcing inputs from air 
traffic control, from airline companies, and from the environment. Automation can lighten this 
burden on pilots, first by relieving them of the burden of inner-loop control, second by providing 
integrated information, and third by allowing them to manage 3 t a higher ievei. The figure also 
s ,J S§csts, however, that each of these kinds of automation increases the information processing 
burden upon pilots, by requiring them to keep track of additional systems and data. Thus, while 
automation has decreased the bandwidth of pilots’ tasks, it has increased mental (perceptual and 
cognitive) demands upon them. It has also increased the “overhead”: the knowledge and 
information necessary to operate the automation itself. 

v automation paradox ; Herein lies a paradox of aircraft automation. To the extent that it 
«*as taken oyer inner and intermediate loop tasks, it has changed the tasks of the oilot, 
notwithstanding the conclusions of the President’s Task Force on Crew Complement. Whether it 
^ Al / htened depends to a considerable extent on the demands of the task* and on the amount 
of information and attention required to operate and monitor the automated systems and displays. 
It has been observed (refs. 19 and 34) that automation may decrease workload when it is already 
comparatively low, during cruise flight and at high altitude, but that it may increase workload when 
u is already high, during climbing or descending flight in terminal areas. It should be noted 
immediately that it is not clear whether this is an inherent automation problem, or whether this is 
because we have not provided simple enough interfaces through which pilots interact with 
automation. In short, have we automated the wrong things, or have'we simply done an inadequate 
job :n some of our efforts to implement higher levels of automation m a simple enough manner? 

fhe poim of this discussion is that our information concerning the effects of automation, and 
particularly its unwanted effects, does not usually differentiate between “good’' automation, poorly 
implemented, and “bad” automation, in terms of roles and functions. It is critical that these be 
differentiated in any discussion of automation, and we shall try to keen this difference m trend as 
we proceed to a discussion of the automation that has been developed to date. 


Control Automation 


Here we will describe automation that has been implemented in transport aircraft to date. This 
list is not exhaustive, but it attempts to place new automation in the context of increasing 
requirements and in the context of other enabling technology. Figure 9 illustrates the control asnect 
of the pilot’s task. 
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Figure 9: Control automation 

Flight path control: As indicated in the introduction, control automation has been around 
for a long time. The first automated controllers simply maintained attitude in the roll axis; later 
generations of such devices have been called “wing levelers” and they continue to be available for 
general aviation aircraft today. Originally introduced to ease pilot workload in flying extremely 
unstable airplanes, they still perform that function, though aircraft stability has improved 
dramatically. Autopilots, as such devices came to be called, added other axes of control; the device 
used in the world flight of Post’s Winnie Mae was a three-axis device which maintained the aircraft 
m pitch, roll and yaw, the three inner-loop functions required (ref. 2). 

In the early generations of autopilots, the gyroscope which sensed roll and yaw was also used 
as a heading, or directional, gyro in the cockpit. Sensors in this device permitted a constant 
heading to be specified by the pilot and held by the autopilot, though the gyroscope was subject to 
precession and its directional component had to be reset frequently by reference to the aircraft 
magnetic compass. Some autopilots of this period later incorporated a relative barometric al t i tud e 
sensor which could be used to hold altitude as well, once the proper altitude was attained, and 
indicated to the sensor. In these developments, we sec the beginnings of intermediate loop control 
m which the pilot was able to specify heading and altitude to be maintained, rather than simplv roll 
and pitch attitude. 


To go beyond these tasks required many years and the development of complex electronic 
oeviees. The advent of precision radio navigation systems capable of providing both azmiu'h?! and 
distance information occurred during the late 1940s and early 1950s. Very high frequency (VHF) 
navigational radios eliminated problems due to radio frequency interference from thunderstorms 
but they were limited to iine-of-sight coverage. VHF omnidirectional range IVOR) transmitters 
became the foundation of the common system” of aerial radio navigation. Distance measuring 
equipment (DME), consisting of airborne interrogators and ground transponders, was co-located 
with and augmented the information provided by VOR transminers (figure 10). 

F° r precision approach guidance, VHF high precision directional “localizer” transmitters 
CLOC) and ultra-high frequency glide slope transmitters (GS) were located on airport runways, 
together tney formed the basis for the instrument landing systems (ILS) which are still the standard 
approach aids in the current system. DME has more recently been co-located with ILS as well as 
with enrou te navigation aids. 

These devices and specialized aircraft navigational radio receivers or transmitter-receivers 
(transceivers) provided aircraft with positional information of higher precision Their signals 
provided unambiguous azimuthal and distance information, which could be used either by pilots or 
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tendency When the 707 derivative of the KC-1,35 was introduced, yaw dampers were provided to 
counter this problem. Though nominally under control of the pilot (they car. be turned off), yaw 
dampers in fact operate autonomously in ail jet aircraft. The same can be said of pitch trim 
compensators, used to counter the tendency of jet aircraft to pitch down at high Mach numbers. 
These devices, first introduced in the DC-8, likewise operate essentially autonomously. 
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Figure 1 1 : Dual-cue (left) and single-cue Flight Directors. Aircraft is left of localizer and just 
below glide slope; directors are commanding a right turn and climb to regain centerlines. 

Sw’ept-wing aircraft also required more precise control to compensate for decreased stability 
and higher speeds, particularly at high altitudes and during approaches to landing. Flight bv 
reference to precision navigational data was made easier by die development of flight director 
displays which provided pilots with computed pitch and roil commands, displayed as shown in 
figure. 1 1. The directors were much easier to fly than unmodified VOR or localizer and glide slope 
data, which were presented on the periphery of the same instruments used for the director displays. 
Such displays rapidly became a mainstay of transport aviation; they made it possible for pilots of 
average ability to conduct maneuvers with high precision, though concern was expressed about 
“losing sight of raw data ’ while relying upon the directors for guidance. A Delta Air lines DC-9 
impacted a sea wail short of runway 4R at Boston during an approach in severely limited visibility 
(ref. 36); its crew is believed to have followed the flight director which was set in “attitude” mode 
rather than “approach” mode, without adequate cross-checking of localizer and glide slope data. 

Control of aircraft longitudinal and lateral trim is maintained by several means including small 
trim tabs on control surfaces. Automatic him control devices which operate either on these 
surfaces or on the aircraft control system have been components of autopilots for many years. 
Most operate autonomously in certain autoflight modes. Some newer aircraft with advanced 
primary flight control systems incorporate a load factor demand law which continuously trims the 
aircraft toward a 1 G condition. This relieves the pilot of the task of re. immir.g the airp.ane after 
power changes, but it also removes tactile feedback regarding longitudinal trim. Other aircraft, 
which incorporate fuel shifting to minimize aerodynamic drag by adjusting aircraft center of 
gravity, also trim the airplane to minimize pilot attention to the load shifting. Most of these devices 
require no pilot input or attention under normal conditions. 

Spoilers, aerodynamic surfaces on the wing long used in gliders to moderate flight path during 
approach to landing, were installed on jet aircraft to increase control authority’ and reduce adverse 
yaw, to assist in slowing these aerodynamically clean aircraft, to permit steeper descents and to 
dump aerodynamic lift during landings. Tnough early jets had manually-controlled spoilers, later 
generations had spoilers that were activated either manually, in flight, or automatically by main 
wheel spin-up during landings, 'rhe Lockheed L101 1-500 incorporated a sophisticated system 
known as direct lift control for automatic precise flight path control during automatic approaches. 
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Some of the newest transpons ; also incorporate automatic gust alleviation control using spoilers, 
rhe newest a^cra.i also provide automatic spoiler operation if power levers are nulled fully back 
during an aborted takeoff, and may apply autobraking when ground spoilers are deployed. * 

Some aircraft now in service (A32G) incorporate “fiy-by-wire” instead of conventional 
mecnamcal or Hydraulic control systems, in fly-by-wire systems, the pilot’s controls actuate 
m dCV1CCS wh ° S , e 0 ' Jtl ’ uls m dir ® c * ed to hydraulic or electrical servomechanisms- 
S-™ eV1KS tU ' tuate m f contro! surfaces. T he advent of fly-by- wire systems has provided control 

"i. *?*' Elior "» contro1 responses ,o match desinS 

entuawtensucs. An inherently unstable airplane can be made to fed, to the pilot, like an sxtremelv 

stable platform, ana indeed, some of these aircraft deliberately incorporate a degree of reduced 
longitudinal stability, whicn is compensated for by a stability augmentation svstem Even 
manually-controlled flrght in ,uch aircraft is actually accomplished by one or m-rfcSnpmen 
interposed between ti.e pilot and the machine. computers 

flj«*.» rhiS c , ontro! arc hitecture offers other opportunities to the designer, who may now limit rhe 

^annrn-S f rec,s ?y tempered degradation of flying qualities as safe operating limits 

are approa^ned, or simply render it impossible for me pilot to exceed certain boundaries. 7 nese 
trategies are usually referred to as ‘envelope protection,” though the latter strategy could more 
appropriately be termed “envelope limitation ” rw " 1 “ CCj ‘ a “p* 



: z “ • r . , . T * IV ^ ^ UIUIUaUI UK 2»(UC GDC 131111 2 limits 

Implanons of these changes in the allocation of functions require discussion ( see p. ?9-30). 

It is likely that most or all future large transports will incorporate flv-bv-wire tor flv-bv-heh* 
using eiectro-optical conduits for control signals) as does the A320.' Along with ffv-b'v-wire 

sv temS h T S h ? ine * considerab |f increase » ^ flexibility of autopilot and flight management 

tJ eWeSl sys * eirs have ; a £ reat ra any modes of operation, each of which must be 
understood oy the puot if they are to be used appropriately. 

Z COntr ? i: Reciprocating engine aircraft had only limited inner-loop automation of 
carurol systems. Automatic mixture controls which utilized barometric altitude data to adjust fuel- 
installed in the DC-3 and later transports. Automated control of propeller pitih was 
introduced aunng the 1930s, no: long after controllable-pitch propellers. LrVtt,uK ffl > 

h^f£n n T UCd ?reC1Se syi ?. chrcnizauon t of Proper speeds to minimize vibrato and annoying 
n °‘f ’ propel !f r ^synchronizers were developed to match the propeller speeds 3 
ah engines. Hire tries, propeker and mixture controls were not integrated, however until the recent 
introduction into general aviation of a Mooney airplane poweredby a new P^sche c^fre 
incorporating a single power controller. y « new rorsene enone 

civil F on^, 106 W T Id War n ’ SUTpib ‘ S miltar >' aircraft werc purchased in considerable number by 
civil operator. Tney mus required civil registration to standards quite different from those 

imposed by the armed forces in the heat of war. Some of these aircraft had undesirable flvinc 
J , n ^ er som . e circurcs tances. In particular, some ’were extremely demanding toflv 

tai un : at , I 1 ow s - peed , dunr ^ or shon[ y following ukeoff To ease the asyirroetri l 
drag causeu by a windmilling propeilet and assist pilots in maintaining control during the critical 

laJCe ° ft ’ auton ^^ c Propeller feathering systems were introduced in some aircraft 
Th^se aevice:, senseo a lossjof thrust in a malfunctioning engine and rapiuiy moved its propeller to 
l “PC lon - 1 ae devices provided crirical assistance when they functional properly 
b-lr.Url Clde j occurred after fully functional engines were shut down autonomous h> There 
m Jhtwufr" ^ ct - :de / lts ’ sucb “ fha* ot an Aerospatiale Nord commuter airplane at Los Ange'es 
in which pilots have shut down the remaining engine after an autofeathering system has operated to 
make the other malfunctioning engine ineffective (ref. 37). Autofeathering^tems^ 
by pilots, an; independent of pilot control and they do not notify the pilot before taking iricn To 
that extent, they remove a portion of the pilot’s authority, a topic on which more will be said later. 
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The earliest autothrcttle systems in turbojet transpons simply controlled fuel flow to turbojet 
engines. They were relatively crude and were not liked (or much used) by pilots because of the 
roughness of their power control (which disturbed passengers). Later devices, more sophisticated 
controllers and better powerplant models improved the operation of autothrottle systems. More 
recently the development of full-authority digital engine controllers (FADEC) has improved still 
further the precision with which jet powerplants can be controlled. Nearly all contemporary jet 
aircraft incorporate autothrust systems which are used to set engine power to automaticaliy- 
determined parameters even during die takeoff roil. 

Landing gear: Landing gear retraction and extension is still a manual procedure in all 

transport aircraft, but information automation in the form of configuration warning systems has 
been used since it was first discovered by a hapless pilot that retractable gear aircraft could be 
landed with the gear retracted. Most such systems have provided a warning if throttles were pulled 
back. The use of idle power routinely during descents in jet aircraft required that the landing gear 
warning system be modified to take account of barometric altitude or other factors that could 
indicate that landing was not contemplated at the time. Aircraft without such modifications 
provided large numbers of nuisance warnings to pilots. In an imaginative attempt to circumvent 
the problem of gear-up landings, the Piper Aircraft Company developed and installed an automatic 
gear-lowering device on its Arrow series of general a viation aircraft. The device used a simple 
pitot mounted in the propeller airstream t sense reduced power and air speed. It worked 
autonomously and effectively, but it also 1 equired the pilot to exert continuous pressure or a 
bypass switch to prevent gear extensior uuring intentional low-speed maneuvers at altitude, a 
difficult task when both hands were required for aircraft and power control. 

Virtually all jet aircraft have anti-skid or anti-lock braking systems, in which wheel rotational 
speed is sensed and used to tiodify brake application. New er generations of transport aircraft also 
incorporate automatic braking upon wheel spin-up. The braking force is chosen by the pilots prior 
to landing; brake application using the selected schedule is then automatic. 

Aircraft subsystems: In early generations of jet aircraft, the many aircraft subsystems 
were operated in the conventional way, with switches in the cockpit controlling most aspects of 
system operation. Three-person flight crews included a flight engineer whose primary task was 
the operation and surveillance of these systems: electrical, hydraulic, pneumatic and fuel systems. 
In some aircraft designed for a crew of two persons, attempts were made to simplify system 
operations somewhat to decrease flight crew workload. Seat belt and no smoking signs were 
activated automatically; automatic load shedding was introduced to simplify electrical system 
reconfiguration following a generator failure; air conditioning pack deactivation was automatic 
following an engine failure on takeoff, etc. These and other measures represented a piecemeal 
approach to the problem, however; subsystems were still considered in isolation by designers, and 
until recently, system operation during failures was still complex. 

The DC9-80 (now designated the MD-80) introduced a somewhat simpler architecture and 
more subsystem automation in 1980 (ref. 38). The Boeing 767/757 series of aircraft incorporated 
simplified procedures and a structured “need-to-know" concept in its information automation. An 
engine indicating and crew alerting system (EICAS) provided pictorial and alphanumeric 
information on cathode-ray tubes (CRT) in the cockpit. Pilots were informed by alphanumeric 
messages of failures that required crew action; the aircraft “Quick Reference Handbook” (QRH) 
provided the required actions in checklist form. The “do” lists were also considerably simplified 
(ref. 39). 


When the Airbus A3 10 was introduced, it incorporated an electronic centralized aircraft 
monitoring system (ECAM). This system provided synoptic diagrams of aircraft subsystems 
which displayed system condition in pictorial form on cathode ray tube (CRT) screens (ref. 40). 
Paper checklists were still used to handle faults, which were annunciated in alphanumeric form on 
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a separate screen. The later A320 had a very similar system. In the 7 47-40G, the first 747 model 
unsigned .cr a crew of two persons, Boeing incorporated system synoptics into its EICAS system 
while retaining alphanumeric aiemng messages and paper checklists that informed pilots of ail 
acaons to be taaen tollowmg an annunciated condition, as in its 767,757 types (ref. 22). 

in i oorf ^ S ^Co- pany took a somewhat different direction in its MD-11, introduced 
liaiSvin ' The MD- is a very long-range derivative of the very successful DC- 10, but 
vuth a radically redesigned two- person cockpit. Douglas cockpit designers were very concerned 

- D V WOr ^ ** USk w 7 kk * 1 aralyses ,n,licated *“> ™joldecTM !es to 
wOT^oad -Ouid be t hieved bv automating aircraft subsystem operations. To quote Douglas ’ chief 

operanons. One of our fundamental strategies has been: if you know what you want the 
K 1 * u top *> «” 41). Many normal subsystem functions formerly perfSmS 

by the fkgh. crew have been automated; handling of faults is also largely automatic. 

”P’ e , fV p, 1 1 en .p ne and aJen displays (HAD; are superficially similar to the systems described 
above but the subsystem management approach is markedly different. Most subsystem 

^ f ^ a r;, f0ll0Win8 cora P° nent malfunctions or failures is automatic. Pilots are informed 
i i an alert, they may cancel the associated alerting message by selecting and viewing the 

Snnrh a a v^^ n ° P H ° 'h7 hlS t Cti ° n D iS n0t [ equired irnrne diately g however, since the aopropriate 
erections ^ ady ^ taken ' Paper checkhsts are still used as a reminder of required flight 

The Boeing 111 now in design, will incorporate electronic checklists with some 1-vel of 
automate sensing of checklist items (ref. 5). ifwill remind pilots of stipp^acS and will 
permit the crew to skip back and forth betv/een checklists if required because of multiple failures. 

Discussion of Control Automation 

Flight path control ; Control automation has a long and honorable history Most asDects 
of control automation are well understood and are not contLersial. Taken sinXmoTautoS 

° n comparat,vel >' sim P le niodels diat can be explained fairly easily 
i p ots. The behavior Ox these systems is predictable. Information concerning the actions of the 
automation is observed in airplane behavior, this information is usually, though nlxim JlhW 

thl f h ? h a t0 pilot invo!v 5 raem l£ is dso usually sufficient to permit the pilot to monitor 

oft he automation. Problems m monitoring control automation haveoccurred when 

ref 1 5 or IS ™ g reasonab >’ incorrectly (as in the SAS DC-10 accident atZJ YoS! 
rain L 5 i ■ r * hen P ,lots were not alert, for whatever reasons, to the state of the automation 'the 
S tf" 1 747 mishap near San Francisco, ref. 14). Control automation data to this time'are 

pniLton" SltaiJdo^ge'w) 1 ' 01 ° r CUCUmiCnbe pil °' behavror (5ec Session of envelope 

c , .. Pl , io£rt s P°"f s t £L anci use these automated flight control devices and systems have been 

1 7 hey ^ a 7 e not found m03t such devices to ^ difficult to understand oruse 
effectively, though the proliferation of control modes in the newest fly-by-wire systems noses 

many more potential problems than did earlier generations of control automation in which the^lot 
was more directly coupled to the control surfaces. In the past, as an insmnee the lafee- 
displacement control yokes used by the two pilots were directly and physically coupled- they were 
also coupled to the automation and thus moved perceptibly when the autopilot made^ontioUnputs. 

A ^ bUS A3 u °’ SH^i^isplacement sidestick controUers are install they are not cross- 
upied, and inputs by one pilot are not visible or tactually perceptible bv the other A fairlv 
complex mixing algorithm, a lockout device and visible indicator lights are provided to assist the 

b!w ^ r ! Cn0 ^? 8 who , ls m C0R£rol and to what extent - 11 should be mentions! that the C* conmrf 
‘ a ^ RS r d in airplane is not speed stable, so different feedback loops may be required 
Autopilot control inputs are not fed back to the sidesticks. The lack of tactile feedbik temShe 
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sidesticks is not known to have presented problems thus far, but it has led to questions regarding 
the usefulness of such feedback in transport aircraft 

Tne large number of control modes in highly automated aircraft has also been of concern. The 
A320 autopilot “open descent” mode, and its coupling to the flight director system of the airplane, 
may have been a factor in the Indian Airlines landing accident at Bangalore, in that there appears to 
have been a late recognition on the pan of the flying pilot regarding the need tc switch both 
directors to another mode prior to the final approach (ref. 13). Incident reports have documented 
similar occurrences with earlier recovery. This mode, like all others, is annunciated in ext on the 
flight mode annunciation panel; the problem rather appears to be a lack of understanding of a 
relatively complex, highly integrated set of automated systems and of their interactions. Air 
carriers operating the A320 have instituted procedures designed to prevent open descent below a 
safe transition altitude on final approach, but it must be asked whether procedural approaches to 
such problems are as effective as designs that are easier to understand or that are not susceptible to 
misunderstanding. 

Error resistance and error tolerance: System modes such as this necessitate a 
consideration of human error in the operation of such systems. It is known that human errors will 
occur, such errors are contributory factors in roughly two-thirds of air carrier accidents. Indeed, a 
desire to minimize such errors has been a part of the rationale for the implementation of advanced 
aircraft automation. At least two approaches can be taken to minimize the effects of human error. 
A system may be designed to be highly error-resistant ; that is, to make it very difficult for the 
human to make an error in the operation of the system. Simplicity in system architecture and the 
provision of clear, unambiguous information on display interfaces are important tools with which 
to improve error-resistance. (See Nagel, ref. 42, for discussion of these concepts.) 

Attacking the problem of human error by design of error-resistant systems ,s not enough, 
however; it is also necessary that system designs be error-tolerant, able either to trap enors or to 
mitigate their effects. Such error-tolerance can be strengthened by designing monitoring 
capabilities into the automation, as is done in configuration monitoring systems, or by introducing 
system envelope limitations, as is done in the A320 flight control system and several power control 
systems. The use of procedural controls as a substitute for designing inherently error-resistant and 
error-tolerant systems may be effective, but is less foolproof. In the case mentioned above, 
procedures have been evoked to make the system error-resistant, since it is not inherently error- 
tolerant. Both error resistance and error tolerance, discussed further in section IV, must be 
paramount aims of the cockpit design team. 

Power control: The A320 also incorporates thrust levers that do not move when power is 
applied or withdrawn by the autothrust system. Visual ECAM displays indicate both power 
commanded and power delivered, but ancillary tactile or visible feedback is not provided by the 
levers themselves. This difference from previous aircraft has evoked fairly widespread concern in 
the operational community, though it should be said immediately that the concern does not appear 
to oe manifested by airlines operating this aircraft type. 

Based on limited operating experience to date, it appears that pilots are usually able to obtain 
all needed mformation concerning flight and power control either with, or without, tactile feedback 
of control movements instituted by the automatic systems. This may be a case in which there is not 
“one best way,” based on empirical or analytical knowledge, to automate a system, and in which, 
therefore, any of several approaches may be effective, provided that pik ts are provided with 
sufficient information to permit them to monitor the systems effectively. Unfortunately, 
information concerning the rare cases in which a particular innovation is not effective in providing 
adequate feedback may not come to light unless a mishap occurs. Research into the proper 
complement of control and monitoring functions for automated cockpits is badly needed. 
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s “ bsystem5: Automated flight control systems usually provide immediate 

n^ dnU ^ functioning ' F^hack concerning aircraft subsystem 
..tatus may oc much less obvious. Older three-person aircraft incorporated a multiplicity of lights 

provide the flight engineer or pilots with such information; cockpit automation and 
5 amplification efforts have attempted (with considerable succes s) to minimize die amount of system 
information which the crew must monitor. The provision of simpler interfaces, however has not 
been cue entirely to the design of simpler aircrait subsystems. On the contrary, system complexity 
if so ™ e case * has in creased greatly. Where simpler interfaces reflect simple^ subsystems the 

?f"!! ,tS rt arE ‘ °^. vlous - a sm ‘‘P le interface hides a functionally complex system, there may well 

t?e covert problems waiting to emerge during a difficult emergency. 



Fig. 12: Ove nead panel, AC electrical system. 747-400. 


Practices with respect to the provision of 
information regarding subsystems have varied, 
from the Boeing 767/757 “need-to-know” 
concept, to the provision of synoptics simply 
for pilot information in the 747-400 (figure 13), 
to synoptics that are the primary means of 
subsystem feedback in the MD -11 and A- 
310/320 types. The A320 also presents a 
limited number of normal checklists on its 
ECAM screens; a broader implementation of 
electronic checklists with automatic sensing of 
skipped actions is under consideration for the 
Boeing 777, now in design, and will likely be 
seen in many future transport aircraft. Such 
automation will permit the flight crew to 
alternate among several checklists when 
necessary to resolve compound faults, though 
automated prioritization schemes for such faults 
are under consideration by human factors 
researchers. 


Cockpit simplification has included drastic 
reductions in the number of subsystem controls 
and also standardization of those controls, 
nearly all of which are now lighted pushbuttons 
with legends. Critical buttons may be guarded. 
The switches are usually located in subsystem 
diagrams (figure 12). The use of pushbuttons 
of identical shape and size in place of a variety 
of toggle switches has cleaned up the overhead 
panel, but it has made more difficult the 
location by feel of a given switch. 
Manufacturers state that their “dark cockpit” 
concept, in which buttons are lighted only if 
they require attention, indicates those that must 
be used, and point out that buttons should be 
actuated only after visual confirmation of which 
button to press. As noted above. Douglas 
Aircraft Co. has automated large segments of 
the subsystems management task (a backup 
manual mode is provided, and all switches 
necessary for subsystem control are on the 
overhead panel). 



Fig. 13: Synoptic display for system shown in fig. 12. 
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Research is underway on CRT screens 
on which subsystem synoptics containing 
“soft switches”, touch-sensitive areas 
overlying switch depictions, would be 
depicted. Subsystem control would be 
affected directly through such screens, 
which would respond to switch actuations. 
The advantages and disadvantages of this 
approach can be hypothesized but are not 
yet clear. Dedicated panels in which 
switches are always in the same place 
permit memorization of switch locations 
and set patterns of behavior, but 
pushbutton switch legends contain small, 
sometimes cryptic alphanumeric legends, 
and presbyopic older pilots may have 
difficulty reading legends on the overhead 
unless they are fitted with special correcting 
lenses. Synoptic subsystem diagrams will 
require familiarity with a number of differ- 
ent switch locations, distinct f or each system depicted. The legibility of touch screens or. the 
primary display panels should be considerably better, but operation of touch-sensitive switches 
may be more difficult in turbulence; they will also be farther from the pilots. Research will be 
needed to determine whether the potential advantages of “soft switches” outweigh their drawbacks. 

The amount of aircraft status information that must be provided is a function of the human 
operator roles in mission accomplishment. If humans are expected to control aircraft subsystems, 
they must be given that minimum of information necessary to perform those tasks. If the 
subsystems are controlled autonomously and the human’s only role is to remain cognizant of their 
status and the effects upon mission accomplishment, a quite different quantity and type of 
information concerning system s tanas may be called for, though it is necessary in this case that the 
operator understand not only the system controlled but also the automation that is controlling it, so 
that automation failures can be detected. In this case, it may not be necessary that non-flight critical 
information be made available at all. For these reasons, it is necessary to consider the range of 
control and management options to be provided the pilots of advanced, highly-automated aircraft 

The control-management continuum: It is implicit in the above discussion that pilots 
may play any of a variety of roles in the control and management of highly automated aircraft. 
These roles range from direct manual control of flight path and all aircraft systems to largely 
autonomous operations in which the pilot’s role is minimal. The development of highly capable 
automation makes it necessary to consider these roles in more depth. A control-management 
continuum is presented in figure 15 to facilitate this discussion (ref. 43). 

None of today’s aircraft can be operated entirely at either extreme of this spectrum of control 
and management Indeed, an aircraft operated even by direct manual control may incorporate many 
kinds of control automation, such as yaw dampers, a pitch trim compensator, automated 
configuration warning devices, etc. Conversely, even remotely piloted vehicles are not fully 
autonomous; the locus of control of these aircraft has simply been moved to another airborne or a 
ground control station. Nonetheless, today’s airplanes, and those of tomorrow as well, 
incorporate elements at or near the extremes, and the full range of options must be considered. 

The ability to control an airplane without the assistance of automation must be demonstrated 
by any pilot before a type rating for that airplane can be issued, if the airerft itself is certified for 
such operation. This includes die ability to handle the machine without even the automation aids. 



Fig. 14: Touch-sensitive screen switches on a CRT display 
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such as yaw dampers, that normally operate full-time in an autonomous mode. That flying task, 
however, can be extremely demanding in a machine in which stability is relaxed and stability 
augmentation is provided by redundant, fai. -operational systems. 
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AUTOMATION FUNCTIONS 

HUMAN FUNCTIONS 
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MANAGEMENTS 

/;• 

fourty sc tonomaus operator 
P*iot not usually informed 
System m ay o' may not oe capable of 
beiog disabled 

Pilot generally has no role in operation 
Monitoring is limited to fault detection 
Goals are self-defined, pilot normally 
has no reason to intervene 

Essentially autonomous operation 
Automatic reconfiguration 
System informs pfot and 
monitors responses 

Pilot informed of system intent. 
Must consent to critical decisions 
May ntsrvene bv reverting to lower 
level 

i { MANAGEMENT y 

Full automatic centre* of 
aircraft and flight 
Intent dwgno itic and 
prompting function* provided 

Pilot must consent to state changes. 

eheckiist execution, anomaly resolution, 
Manual execution of critical actions 
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111 MANUAL M 
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MANUAL Y 

Autopilot & aulottvottie control 
of flight path 

Automatic communications and 
rev following 

Pilot commands hdg. alt, speed; 
Manual ^ ooupfed navigation; 
Commands system operations, 
checklists, communications 

Enhanced control and gwdarce, 
1 Smart advisory systems; 

[ Pctennai ?!«ght path and other 
predictor displays 

i— — 

Pilot m control through CWS or 
envelope- protected system; 
May utilize advisory systems, 
System management manual 

! 

Flight director, FMS, r»av modules; 
! Data link wtth manual messages; 
Monitoring of flight path control 
and eweraft systems 

Direct authority over all systems; 
Manual control, aided by f/O and 
enhanced navigation displays 
FMS is available; trend info on request 

Normal warring* and aletTs provided. 
Routine AGaRS communications 
performed automatical 

Direct authority over a!! systems; 
Manual control utilizing raw data, 
Unaided daeisiorv making; 
Manual communications 


Figure 15: A continuum of aircraft control and management 

Most flying today is assisted to a greater or lesser extent, if only by hydraulic amplification of 
control inputs. Flight directors, stability augmentation systems, enhanced displays, and in newer 
aircraft various degrees of envelope protection, assist the pilot in his or her manual control tasks. 
To some extent, pilots can specify the degree of assistance desired, but much of the assistance 
operates full-time and some of it is not intended to be bypassed. The pilot remains in the control 
loop, but it is an intermediate rather than the inner loop. 


Whether pilots of limited experience should be required by regulation to have and demonstrate 
this level of manual control ability in today’s airplanes, which incorporate highly redundant 
automated control assistance, is beyond the scope of this document Airbus has rendered this issue 
moot 10 some extent by providing shared control as the A320’s basic control mode. Pilot control 
inputs are considerably modified and shaped by the flight control computers; envelope limitations 
prevent him or her from exceeding pre-determined parameters. In this airplane, pilots are provided 
nth considerable assistance even during control failure modes; manual flight capability is limited 
o rudder control and stabilizer trim and is designed only to maintain controlled flight while the 
automated systems are restored to operation. Under normal circumstances, the aircraft automation 
is responsible for much of the inner loop control, though control la vs are tailored to respond in 
ways that seem natural to the pilot. In the MD-11, a combination of longitudinal stabil'tv 
augmentation and control wheel steering is in operation at all times; roil control wheel steering is 
available as an option. 6 ' 

When an autopilot is used to perform flight path (and/or power) control tasks, the pilot 
lecomes a manager rather than a controller (this is also true to some extent of the shared control 
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option). The pilot may elect to have the autopilot perform only the most basic functions: pitch, roll 
and yaw control (this basic autoflight level is not available in all systems); he or she may direct the 
automation to maintain or alter heading, altitude or speed, or may direct the autopilot to capture and 
follow navigation paths, either horizontal or vertical. This is mcuigement by delegation, though at 
differing levels cf management, from fairly immediate to fairly remote. In all cases, however, the 
aircraft is carrying out a set of tactical directions supplied by the pilot. It will not deviate from 
these directions unless it is incapable of executing them. 

As always, there are exceptions to the generalizations. The A320 will not initiate a 
programmed descent from cruise altitude without an enabling action by the pilot (This is the first 
instance of which we are aware in which management by consent has been embodied in aircraft 
automation.) Other modem flight management systems require that the pilots provide certain 
inputs before they will accept certain conditional instructions. 

Management by consent implies a situation in which automation, once provided with goals to 
be achieved, operates autonomously, but requires consent from its manager before instituting 
successive phases of flight, or certain critical procedures. An example is given above. The 
consent principle has important potential advantages, in that it keeps pilots involved and aware of 
system intent, and provides them the opportunity to intervene if they believe the intended action is 
inappropriate at that point in time. (Taking the princip e to its logical conclusion, it can be argued 
that even ya w damping in older airplanes is by consent since the pilots can disable the function. 
This may not be the case in future aircraft, however, in which more of the automation will be 
transparent to the flight crew.) 

This management mode may become more important as “smart” decision-aiding or decision- 
making systems come into use (see page 94). A protracted period of close monitoring of these 
systems will be necessary; requiring consent is one way to monitor and moderate the potential 
influence of these systems. While management by consent is an attractive option worthy of further 
exploration, it must be informed consent. More fundamental human factors research is needed to 
identify how to implement it without the consent becoming perfunctory. 

Management by exception refers to a management-control situation in which the automation 
possesses die capability to perform all actions required for mission completion and performs them 
unless the pilot takes exception. Today’s very capable flight management systems will conduct an 
entire mission in accordance with pre-programmed instructions unless a change in goals is 
provided to the flight management system and enabled by the pilots. This occurs relatively 
frequently when air traffic control requires a change in the previously-cleared flight path, most 
often during descent into a terminal area. 

As previously stated, the desire to lighter the pilot’s workload and decrease the required 
bandwidth of pilot involvement led to n,_. a of the control automation now installed in transport 
aircraft. The more capable control and management automation now in service has certainly 
achieved this objective, with benefits to safety, reliability and productivity. It also has the capacity, 
however, to decrease markedly the pilot’s involvement with the flying task and even with the 
mission. Today’s aircraft can be operated for long periods of time with very little pilot activity. 
Flight path control, navigation, and more recently subsystems management are almost entirely 
automatic. The capable, alert pilot will remain conversant with flight progress despite the low level 
of required activity, but even capable, motivated pilots get tired, lose their concentration and 
become diverted, or worry about personal problems unrelated to the flight. A critical task of the 
designer is to find ways to maintain pilot involvement during operation at higher levels of 
management 

This is less simple than ii sounds, for pilots will both resent and find ways to bypass tasks 
that are imposed merely for the purpose of ascertaining that they are still present in the cockpit. 
Tasks to maintain involvement must be flight-relevant or even flight-critical, and equally important. 
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perceived by pilots to be relevant. Designing pilot involvement into highly automated 
22“* 7 111 not * ea$ y but “«** »»e accomplished to minimize boredom and complacency 
Jocularly in very .ong range aircraft which spend many hours in overwater cruise, The progress 
of avionics, satellite navigation and communications, and data link may very well have an ophite 
result unless this uniquely human L tor receives more consideration than it has to date. 

S a * rcra ^ t 216 °^ tc P cas i er to control than they are to manage, because interacting with 

Rpnro^mS2r^ Sy ’ te ? S - 1S accom P hshed pnmari ly by entry of alphanumeric information! 
Reprogramimng today s fiigm management computers can be cumbersome, and such flight pa*h 

vZ% t&S t ^P^by reverting to a lower level of automation rather 
y a.tenng t**e FMS instructions. Inis in itself may be a problem because some of the 

rh-X°r n h Pr nH by thC fU - ly au£oma£ed configuration may be removed bv such reversion. On 
ti?‘ 4nd ' reprogramnung ca n occupy attention that might better be directed elsewhere 
Making this interaction easier and less error-prone is a major task facing the human factors 
community, and a number of research efforts are underway to mitigate this problem.) 

operation denotes opera; on in accordance with instructions provided bv system 
SKE** attcnUon or management is required of the pilots. Until recen7y, ^ely few 
s P systems operated autonomously. With the introduction of the A320 and MD- 1 1 
however, major systems operate in this way. ’ 

all t™^T 0l i. SyS T incorporates envelope limitation; this system operates at 

? parameters (bank angle, pitch or angle of attack) cannot be exceeded by the pilot 
vaS i ^!? g ° {i A P? mo " s ? f the flight control computer systems or flying below their cutoff 

IS d ° ne - d ^ ng ** low ‘ altitudc fl >’ over prior to rhe Mulnouse-Habsheim accidem (ref 

44;. Predetcnmnec thrust parameters also cannot be exceeded- 'Hie MD-1 1 incorporates an pie nf 

s^tem^I? * e n ivm Vi tS limits f can ** 0ver ridden by the pilot, as can the limits (rfthe autofhrust 
the ^ craft systems also operate autonomously, to a considerable degree 

rnn^u^A^ and Su ^2*? rcconfi g^adon are also autonomous if the aircraft system 
contraltos (AuC) are enabled (the normal condition). Any system may be operated manually 
though the protections provided by the ASC systems are not available during manual operation. * ’ 

Systems designed for autonomous operation pose serious philosophical questions with resoect 
Wdl ? pilCt in r oWement - These q««tions arosefet in theTst^of fiK 
T^^An^icanF a ICCCn . t ^^gned editorial in Flight International (ref g 4 5). 

6 fighter .> fly by wire control system incorporates “hard” limits which “preserve 
s fiytng qualides nght to the limit of its closely defined envelope” but do not permit the 
pilot to maneuver beyond those limits. The Flight editorial points out that “There is however 

to hip?*?lS^Jh aVa £f C; £ ° devel 0P a ‘softer’ fly-by-wire system which allows the aircraft to go 
to higher limits than before but with a progressive degradation of flying qualities as those higher 
W are approached It IS dm latter philosophy which has been adopted bv the Sov ets Kd 
fighters like the MiG- 29 and Sukhoi Su-27. It is not, as Mikovan’s chief test mC L? 
necessarily a philosophy which an air force will prefer.” He says, however “Although 
this...approach requires greater efforts.,.it guarantees a significant increase in the overall quality of 

1,80 "ft* &°' ° his » 

tneir tuuest extent (ref. 46). rhe softer* approach has been taken in the MD-1 1 which permits 
pilots to override automatic protection mechanisms by application of additional control forceT 

tS<*v ailC ? ft *° not f a?e thrcat P 0 ^ tD a fighter whose maneuverability is limited 

Lhey d ° on occasion have to take violent evasive action (see also page 86), and the» mav on 

extremely rare occasions need control or power authority up to (or even beyond) structural' and 
engine limits to cope with very serious failures. The issue is whether the pilot, who is ultimately 
responsible for safe mission completion, should be permitted to operate to or even beyond airplane 
lmnts when he or she determines that a dire emergency requires such operation. The issue will not 
be simply resolved, and the rarity of such emergencies makes it difficult to obtain empirical support 
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for one or the other philosophy. Nonetheless, the issue is a fundamental one. Pilots must 
approach such limitations on their authority with extreme wariness; designers must recognize that 
hard limits place them, rather than pilots, in the position of ultimate command, given the capability 
and flexibility of automated systems. Pilots must also be concerned about the effects such systems 
may have on their perception of their responsibilities, which remain despite whatever protective 
systems may be installed Such systems can fail. 

Another fundamental question is how wide a range of control and management options should 
be provided. This may weli vary across functions; indeed, pilots will often operate at a rai.ge of 
levels, for example controlling thrust manually while managing the autopilot and using the flight 
director to monitor navigation Pilot cognitive styles vary; their skill levels also vary somewhat as 
a function of the amount of recent flying they have done, how tired they are, etc. These factors 
lead us to argue that a reasonable range of options must be provided, but widening the range is 
expensive in terms of equipment costs as well as of training time and time required to maintain 
familiarity with a broad spectrum of automation capabilities. 

One way to keep pilots involved in the operation of the aircraft is to limit their ability to 
withdraw from it by invoking very high levels of management. Another, perhaps preferable way 
is to structure those higher levels of management so that they still require planning, decision- 
making and procedural tasks. The use of a management by consent approach, rather than 
management by exception, could be structured to insure that pilots must enable each successive 
flight phase or aircraft change of status, as an instance. It has been suggested by one air carrier 
that long-haul pilots should be given the tools with which to become involved in flight planning for 
maximum economy on an ongoing basis; this is another approach to maintaining higher levels of 
involvement. 

Control Automation in the Future 

Control automation is already highly advanced and highly competent. What may we 
reasonably expect to see in the way of further advances? What additional factors should be 
considered in this domain? 

There is increasing concern regarding the problem of runway incursions, as airports become 
more and more congested. Several studies (refs. 47 and 48) have highlighted this problem; two 
recent accidents, at Detroit and Los Angeles, have underscored its seriousness (ref. 84). Improved 
radar surveillance of airport surfaces is technically feasible and new devices are scheduled for 
installation; light systems at ranway-taxiway intersections have been tried in the United States and 
are in use elsewhere, but neither of these approaches will be fully effective in mitigating the 
problem of human (either pilot or controller) error (ref. 49). 

More error-resistant and error-tolerant approaches to this problem are needed, especially given 
problems of low visibility and contaminated taxiway surfaces which can obscure markings 
temporarily. Suggested approaches include some degree of automation in control and conduct of 
movements on the airport surface. Automation has not been extended to control of aircraft on the 
airport, though techniques for lane-holding have been attempted in automobiles on roadways with 
embedded wiring. Highly precise satellite navigational aids, particularly when accuracy is 
enhanced by fixed-installation comparison techniques such as differentiarGPS (ref. 50), may 
provide the means for true all-weather control of airplane positions on the ground. If airport 
features can be described precisely, automatic control or lircraft during taxi is possible, though it 
will require very large databases in the flight management systems that will access the information 
and very ace. "ate map displays in the cockpit 

It needs to be pointed out that if automated control of aircraft on the airport surface becomes a 
reality, pilots will be unable to verify the correct operation of the automation under conditions of 
severely limited visibility. Before such technology is implemented, it will be necessary to consider 
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ISniiH^ P ^ nden | tDOm J°F m ^ capability can be provided. One possibility may be the use of 
millimeter- wave radar and the provision of synthetic visual displav devices in the cockpit (such 

S em fh C l Uld S° P ro vide independent monitoring capability during low- visibility approaches 

,nf “ 10 thc d,sp,ays m,8h! 

Although today’s aircraft have the capability to follow an ILS localizer centerline accurately 

^ll . CaP y USe of during automatic landings, automatic takeoffs using centerline 

guidance are not performed, probably because of concern about asymmetric power failures and the 

t0 <*“*»• » aborted SSrf? 

Lertainly the pilot is more quickly able to counter variations in direction if he or she is involved in 

’tarn cStae™ 1 ' “ VmbUity "* P1 ‘ M 1550 inTOdjces **** “ 

or " » 

mitigaung some noise problem.: for communities in the vicinity of airports (ref 51 ) Flvine verv 
S' XaP r aCheS wiU iead ? a rprcciable increases in flight ere w^Soad, 
the approaches are automatic. Alternate means arc being explored to enable equivalent approaches 
ing existing equipment capabilities, but these too will involve higher cockpit workload The 
sy^m “ **“ en ° Ugh 80 1)131 such a PP roaches probably ^uL^ In “fuSe 

C K pe f t l °i ^ morc highly inte § rated automation suites in virtuallv all future 
transport aircraft. A higher level of integration may permit simpler automation architectures that are 
more easily and intuitively understood by pilots, though the trend to date has been toward Ereater 

JJ^jf *^5I2 P iC i lty ' T ge ° f ° pti0ns 2vailab!e t0 *e pilot should be narrowJdis an 

2SL2f SIM ?: u Ev f" b , eforc the advent of the P^sem generation of aircraft. incident? were 
repoired in which pilots became confused about the mode in which they were oLraMe lh s ied [o 
a stall at high altitude in the case of an Acromexico DC- 10 departing 2 ‘ 

to^ts Urination Cd damagC during the recover >' P^ess, though the airplane was flown on 

~™J^° Uld ^ f ^ )1I ? te f °“ t ^>at problems such as this may be due to the automation of a 
-ontrol function which should not have been automated, but they may equally well be due to failure 
£ f needcd funcno ” sufficiently obvious, that is to poo? imptemSon , 

f^. C th° n f P r aut0m2tI0r \- 0ur first principles state that the pilot must be invo’ved- thev also state 
tha the pilot must be informed, and this includes prominently being informed, at the lev*! reauired 
for hun to fulfill his responsibilities, of the airplane and automation characteristics at alf times As 

•c JhTth** °n t several u tim L e ) s bere ’ to ° ’puch information may be as bad as too little, the critical point 
is that the pilot must be able to maintain state and situation awareness. * P° 

As subsystem automation becomes more capable and more common we shall have m 

Dnnibil £5!S? y . W ^ a i! ubsystem mana g ement actions should not be automated. In thc MB- 11 
Douglas has refrained from automating fully any tasks that are irreversible in terms of their effect 
on the airplane s ability to complete its mission. In future aircraft, we must consider as well 
certain actions that can be taken by pilots rather than by the automation should Sso t 
proscribed, or at least made to require confirmation or consent. There have been two cases in 

t'ha! C fhJ >d0tS ShUt ° f ‘ fUC t0 ^° Ul engines ? f a ^n-engine transpon shortly after takeoff, thinking 
that they were operating its electronic engine controllers (ref. 52). In these cases, either designers 
did not recognize the potenca. for the specification of procedures that could be hazardous or Jr* a ; r 
earners did not understand the (designer’s) intent for the EEC enable/disabie function or both 

KM E2K °^^ oxs as weI1 ’ mus{ - d — d -ma&^ 
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Our first principles suggest that the automation must be able to monitor^ the pilots. Monitoring 
automation could certainly be designed to question certain classes of pilot actions that can 
potentially compromise mission completion, though for the automation to proscribe such actions 
would again limit the authority of the pilot. It is hoped that more serious thought will be given to 
the pilot-automation and autom3tion-pilot monitoring functions, both of w'- .ch are enabled by the 
highly competent digital computers row in place in advanced aircraft 
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Information Automation 


r r exanui e wh at Faddcn has termed information automation. Though primitive levels 

of mtonnanon automation nave been present for some time, information autLSS ^an tu 

^ UCd0 S 0f ,J ? : igIass cock P«” in Which CRT Greens 
cm. c. dli o. tne oxer electromechanical instruments. Even prior to this develonmenr 

mformation management had become a major problem in aviation. Billings Lauber and Conner 

rasWSobleU m -iS nf V^V ^ An earl >' ASRS S ^Y found information 

L<msier problems in , 3% of ^,000 consecutive incident repons (ref. 54). 

• 1 ,T he , advem of CRT screens in cockpits made it possible for designers both to provide mon* 
w h fa ne " b!e »*-■■ V a to tonlto StoSSHtoX 

SfStoS iuppliei Furth ; r> pU °' 3 werc "°' Uam .o demand X 

tifXSri hai ‘ lhc ^ beicre ; experimental studies have found that pilots want as much 
-■ ormauon as may possioly be relevant, even at the cost of increased workload (ref. 55). 

Tflough pronounced differences in philosophy exist among the maior surmliers of transonn 
aircraft, most have been fairly conservative abom new cockpit displa^ Tt shou d te reXbS 
tnat automation, which enables more information to be presented, 

of the amount ot mformanon required to monitor the automated functions, as shown in figure IS. ~ 
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Despite this conservatism, new alerting systems have been introduced, several mandated bv 
Congressional decree; each requires the presentation of new information to pilots Ground 
proxmnty wairung systems, mandated in 1974, provide visual and aural warnings. Traffic alert 
2n 1 < r i ! lslf ? n av Oidance systems (TCA.S), now being installed in ail transport aircraft, provide 
visual displays and visual and voice warnings of traffic threats Windshear advisory systems 
mandateu ior installation during 3991-1993, will also introduce visual and aural warnings. 

Though map displays have greativ simplified the presentation of navigational information, the 
integration of weather radar data and T CAS traffic displays with navigational data has complicated 
tno ,f displays considerably, especially on smaller CRTs. The coming of digital data link for ATC 
messages wm add stul further visual displays that must be attended to. We will now examine the 
kinds of information m the cockpit, the ways in which it is displayed, and the effects of automation 
on tne iniormation provided to ilight crews to enable mission accomplishment. 

Flight path displays: Pilots art physiologically unable to maintain a stable airplane attitude 
by reference on,y to thexr own sensory' inputs because of limitations in their ability to sense motion 
^l^ Ce f Tatl ° n m m axes (ref. 56). The first attempts by Doolittle and others to develop 

mstru P? e ” t W 5 ef - 5 /} were prompted by the recognition of this fact. Gyroscopic 
turn indtcaiore and ball slip indicators prodded data concerning turn rate and sideslip; airspeed and 
altitude indicators pnmdec coarse information concerning climbs and descents Two-axis 
gyroscopes provided sensing for the more intuitive artificial horizon, which accurately displaved 
oank and pitch angle on a single device; another single-axis gyroscope provided heading 

1 "'f ! ? iauc ? n w!ien st } V 1 accordance with a magnetic compass. Vertical speed instruments were 
added to show rate of change of barometric altitude (figure 17). 



Figure 17: Primary flight instruments: airspeed indicator, artificial horizon, three-pointer altimeter 
turn and bank indicator, directional gyro, vertical speed indicator The airplane is in a left turn 
without sideslip, at 147 knots, descending from 1340 feet at 630 feet per minute. 
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Figure 18: Electronic primary flight display. 


The information provided by 
these six instruments has been the 
foundation of instrument flying e /er 
since. Analogous information, 
though derived in many cases from 
different sensors (air data computers 
and inertia] reference platforms), is 
still the basis of the primary flight 
display in the newest and most 
sophisticated aircraft (figure 18 ). The 
several sources of data, in different 
formats, require considerable mental 
integration to permit the formation of 
a coherent perception of the airplane’s 
attitude, state, and rate of change. In 
advanced electronic displays, a 
variet • of aids is made available to 
assist the pilot in maintaining this 
perception, but (he basic information 
displayed is not fundamentally 
different. 


of concern* feign engineers have brongh. fonh a varierv 
Site Mm, of T* T le8ra " on of *e information presorted in die primary fligh'l 

c i ° St j • ese ^ ave mvo * ve d some son of “pathway through the skv” concent ,'fio to. 

fs sin n„Sr ^etopmem «! d a* ? h f ! ' has , *«» «=«ed » ghr, a^d 

more integrated, displays could increase training req uirements and perhaps compromise safety. ’ 



Figure 19: Pathway in the sky display. 




In older aircraft, several displays are also used to provide navigational (more properly, 
position } information to pilots, In essence, pilots are informed of their bearing and distance from a 
radio navigation aid, or during inertial flight, from a geographic waypoint defined in the flight 
management computer. During approaches, they are informed of their lateral and vertical 
deviations from localizer and glide slope centerlines. This information, like attitude information, 
must oe considerably transformed to permit the derivation of present position. Figure 20 is a 
sketch of this information. It shows a horizontal situation display containing a heading indicator 
(whose data now comes from a remotely-mounted, stabilized magnetic compass), a digital displav 
of DME distance, and a radio magnetic indicator (RMI), showing the bearing to two VOR stations 
or tow -free ue -icy radm beacons. The RMI also contains a heading indicator, whose inputs are 
normally from a second independent magnetic compass unit. 



Figure 20: Flectromechamcal navigation instilments: radio magnetic indicator (RMI) to left, horizontal situation 
display (HSI) to right. The 180* radial of the VOR being tracked is 12' to the right; the VOR is 10.2 miles away 
Aircraft is flying parallel to that radial. The HSI also shows glide slope deviations when tuned to an ELS frequency. 


The introduction of CRT screens in the cockpit made possible drastically simplified navigation 
displays. Although cor verttional HSI displays like that shown above are still provided, nearly all 
pilots of glass cockpit a:rplanes use map displays for most enroute flying. The map displays utilize 
data stored in the flight management system to provide a pictorial planform display of present 
position and future navigation waypoints. In some aircraft, terrain obstructions and airports can 
also be selected. In most glass cockpit aircraft, weather can also be depi ;ted on the display; 
displays of other traffic are, or will be, provided by TCAS equipment. 


When all of these options are exercised at once, screens can be cluttered if significant weather 
or a great deal of nearby traffic is present, but the displays still require less mental effort on the part 
of the pilot. Many navigation displays can also be used in a “north-up mode” to display the r. ute 
programmed in thc ’ computers. The scale of the navigation display can be varied; some 
i CAS units also perenit altitude filtering. Figure 21 shows such a navigation display. It includes 
flight plan, present and predicted flight path, waypoint and radio navigation aid locations, location 
of weather, altitude relative to planned altitude, inertial ground speed and wind direction and speed. 
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Figure 2 1 : Electronic map display showing weather, flight piar 
rouf and nav aids. 


Map displays have immeasurably 
cased the cognitive tasks of pilots by 
giving them an instantaneous, easily- 
interpreted picture of their location 
'vi;h respect to their plan. Wiener 
(1989) repo Ted that they are the most 
desired single feature of advanced 
automation. As with flight directors, 
it is not difficuh to lose sight of the 
raw navigation data. Map displays do 
not make it particularly easy to 
evaluate the raw data from which 
position is derived, and it has been 
necessary to introduce special display 
elements to aid in this task. American 
and British incident re pons (ref. 60) 
describe circumstances in which the 
apparent position was incorrect, and 
the clarity and apparent precision of 
the displays can be seductive. 


_ __ Splays: The Boeing 

/57/767 introduced electronic engine 
status displays. These displays 
provided enhanced electronic 
depictions of information that had 
been available on electromechanical 
instruments, together with adaptive 
EGT limits, data on commanded vs. 
actual thrust for autothrust operation, 
e c. The later Airbus A320 provided 
a sum ar set of electronic displays and 
alphai.umeric information. The 
Boeing 7 47-40Q electronic power 
displays v ere the first to utilize a 
simplified tape fo mat on a . rimary 
and secondary display (figure 22). A 
compacted format showing analog 
tape and alphanumeric data is also 
available. These displays were based 
on research showing that pilots were 
better able to evaluate engine prob- 
lems with displays tailored to the 
number of engines. The MD-11 
primary and secondary power 
_. ^ displays are again CRT represen- 

Figure 2_: Primary EICAS display , Boeing 747-400. tations of the earlier electromechanical 

displays. 


r 


TAT c D-TO \ *23 i 

*■•3 1JO HtV 


532 ES2 EMI HS3 


ms Q221 

TT Tf 




GD 5*2 
TP 


12 

CAM ALT 7500 IPUTC >25C 
loom-t 200 Jip 5.6 


ENG 3 FIRE 
ENG 3 SHUTDOWN 
YAW DAMPER UPR 


cm iGNmow 
SEATBELTS 


250 243-324 


fbOWNI 

GEAR 


0 


TOVAlFUEl 362.6 

TSIF *10C 


tha, S ? glaSS COCkpi! display, 

cmrent-technciogy Abbonlad 


37 



concept for a considerably-simplified set of power displays using bar graphs which show relative 
data vs. appropriate values for engine parameters (ref. 61). (See page 44 for discussion.) The 
engine monitoring and control system (E-MACS) concept will be evaluated in flight simulations as 
a part of the NASA Aviation Safety /Automation concept demonstrations. 

Configuration displays and alerting systems: In older aircraft, a variety of lights and 
gages were used to show the configuration of landing gear, flaps and slats, control surfaces, 
aircraft doors and other flight-critical systems. Nearly all current-generation aircraft have displays 
that provide such information in graphic form, though Airbus Industrie has gone farther than oilier 
manufacturers in showing the configuration of components of these systems as well as the systems 
as a whole. 


Figure 23 shows an elegant little 
icon used in the A320 to indicate flap 
and slat position. The diagram 
appears on the engine display screen 
together with engine data, status and 
alerting messages. The number refers 
to flap selector position. 

Alerting messages and aural 
signals are still used in newer aircraft 
for critical items prior to takeoff and 
approaching landing, as in earlier 
generations. These takeoff and land- 
ing configuration warning systems have prevented many accidents, but then occasional failure, and 
their ability to generate spurious or nuisance warnings, raise a problem of a more general nature. 
Devices that are extremely reliable will come, over time, to be relied upon by pilots. In the rare 
cases when they fail, or are disabled, pilots may not be sufficiently aieit to detect the condition for 
which the device was originally provided. This occurred in two recent attempted takeoffs with 
flaps and leading-edge devices retracted- The aircraft crashed with heavy loss of life (refs. 10,1 1). 

The other side of this coin is that devices that produce too many ‘'false alarms” will be 
mistrusted by flight crews. In the extreme case, they will simply be ignored after pilots have 
become accustomed to them. This was the case when the earliest tndel of the ground proximity 
warning system (GPWS) was introduced. At least two accidents have occurred because pilots 
ignored, disabled or were slow to respond to warnings that were appropriate. Later GPWS 
models incorporated more complex algorithms and the number of nuisance warnings dropped 
dramatically. We are now seeing similar problems with large-scale implementation of TCAS-U. 

Altitude alerting systems, introduced to alert pilots when approaching a selected altitude and to 
warn them if they thereafter depart from that altitude, provided both aural and visual alerts many 
times in the course of routine flights. They were reliable and came to be depended upon; altitude 
excursions resulted when the devices malfunctioned or were ignored because of distractions. 
Pilots objected, however, to the number of aural alerts approaching altitude, and FAA amended its 
requirements to permit the use of only a visual signal approaching altitude After this change was 
made, pilots accustomed to hearing the aural alert before reaching their selected altitude were also 
involved in altitude excursions because it was no longer present (ref. 62). 

Color is used in all cockpits to indicate problems (red or amber, depending on severity), 
though display symbology and color-coding for CRT displays has not yet been standardized The 
Society of Automotive Engineers S-7 Committee is working on such a recommended standard. In 
most cases, redundant shape or size coding is used in addition to color, to minimize detection 
problems for color-deficient pilots and to maximize legibility in bright sunlight (though CRTs used 
in cockpits undergo stringent testing to insure readability in vety bright light). 



Figure 23: Electronic display of flap-slat positions ui A320. 
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The complexity of configuration 
displays can be high because of the 
number of items that are pertinent 
(figure 24). Though color can help to 
direct a pilot’s attention to parameters 
that are abnormal, a good deal of 
information must still he scanned. 
Cockpit designers have done an 
excellent job of eliminating large 
numbers of discrete “lights, bells and 
whistles,” within limits imposed by 
certification regulations, but they have 
substituted large amounts of discrete 
data integrated into a smallei number 
of displays. 

This topic is discussed in more 
detail in following sections, but it 
should be said here that current 
operational constraints often require 
pilots to review, by whatever means, 
a great deal of important status 
information prior to takeoff and 
during approach, periods that are 
already busy. Ways of summarizing 
. , this information that can alert pilots if 

a potential problem is: present are highly desirable, but onlv if they are trustworthy, for pilots will 
come to depend on such aids. “Automation must be predictable,” but i: must also warn 
unmistakably when it is unable to perform a flight-critical function. 
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Figure 24: Flight contra! configuration display, A320. 


Subsystem displays: Though there is still a philosophical controversy about tire necessity 
or ever, the desirability of providing synoptic subsystem information in the cockpit, pilots and 
operators clearly find it desirable to have such displays and they are provided in most glass cockpit 
aircraft. Synoptics of simple systems may increase the risk of misinterpretation, though they are 
probably advantageous for the depiction of more complex systems. Some of the controversy 
probably relates to certification issues; manufacturers and operators alike wish to incorporate as 
few- essential systems as possible to avoid grounding airplanes when they fail, and the overhead 
panels on uiese aircraft permit full manual operation of all subsystems. 


Like configuration displays, subsystem synoptic displays can be very complex, though most 
manufacturers have made them as simple as possible. Multiple faults, however, will still require 
careful pilot attention to the screens to understand fully the nature of the problems. Herein lies 
anotner facet of the controversy. Modem airplanes are designed to require specific actions (usually 
as few as possible) in response to any fault or combination of them. The required actions are 
spelled out in checklists which are designed to be followed precisely. These aircraft are also 
designed to require no more than checklist adherence for safe flight completion. There is 
continuing concern among designers that providing too detailed information on subsystem 
configuration may lead some pilots to adopt more innovative approaches to complex problems, and 
thereby negate the care the manufacturer has taken to simplify fault rectification. Such behavior 
has caused serious incidents in the past and will probably continue to do so in the future despite the 
best efforts of designers to achieve simplicity and clarity in their designs and procedures. 


On the other hand, pilots argue, with justification based on experience, that faults not 
contemplated by the manufacturer may we’* occur in line operations. They point, as one instance, 
to a LlOil that was landed safely at Los Angeles after its crew was faced with a completely 
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unanticipated control surface fault for which no book solution existed (ref. 63). They do not wish 
tc be deprived of any information that could assist them in coping with such problems. 

, cockpit, as indicated above, does not provide subsystem synoptics, 

though EiCAS messages provide a great deal of information on aircraft system status. Since not 
a., information can be presented, the questions that must be answered is at what point the 
appropriate compromise can be found. Better models both of system behavior and of cognitive 
responses to malfunction information are needed to answer this question. Such research is 
underway within the NASA Aviation Safety/Automation program (ref. 64). 



Figure 25: Hydraulic system synoptic page, MD- 11. 

synoptic diagram) after low system A hydraulic quantity 
hydraulic fluid reservoir is also shown. 


As noted above, Douglas Aircraft 
has taken a different approach r o 
subsystem management in that it has 
automated most normal and abnormal 
actions in the MD-11 subsystems. 
The synoptics in the MD-11 are 
simplified diagrams of each 
subsystem. When an abnormal 
condition is detected, the appropriate 
system controller takes action; an 
alerting message is displayed on the 
engine and alert display. The 
appropriate subsystem pushbutton on 
the systems control panel is also 
lighted. When actuated, this 
pushbutton brings up the synoptic, 
which w ill show the system diagram 
with altered icons indicating the fault, 
what action has been taken, and a list 
of the consequences for the conduct 
of the remainder of the flight. Figure 
25 shows an example of a level 2 alert 
(system A hydraulic fluid loss) which 
has been resolved automatically by 
inactivation of the two system A 
hydraulic pumps (system at left of the 
was detected. The depleted system A 


i ? ere ) synoptic display is very- clear (and compelling); there is no question about what has 
laued and what has been cone about it, although a failed sensor could produce the same display as 
a failed system and the pilot must still differentiate between these two conditions. This leads to a 
quesuon about whether such systems should be permitted to be reconfigured autonomously 
witnout pilot consent. The designer of such a system bears the heavy burden of insuring that the 
action taken by the automation is always appropriu . and that it will not under any circumstances 
worsen the situation. Ascertaining this may be comparatively simple for manv faults- for others it 
may not be. The design philosophy appears to have been effective in lightening pilot workload: 
more experience will be necessary to determine whether it has unwanted effects as well, aside from 
the minimal burden of monitoring the automation. Alerting messages appear if any of the 
automatic aircraft system controllers fail; the computers reconfigure the subsystem for manual 
operation if both of die dual channels become inoperative. 

It must be kept in mind that sensors, processing equipment or display generators can fail, and 
that when incorrect information is presented, or correct information is not presented, there is the 
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potential for confusion in the minds of the pilots, 
accommodated. The information must be important enough 


This adds complexity but must be 
to warrant the added complexity. 


AVMOS COMPT ©VHT 


NOTE: This alert will be accompanied by the TRIM AIR 
A VNCS OVHT light on the overhead panel, which will re- 
main Ukjrrinat&d until reset by maintenance. 

Air System VERirY MANUAL 

AIR VERIP/ OFF 

<^JVAVNCS COMPT QVHT 1 ALERT REGAINS DISPLAYED 


RACKS 1 A3 Opp 





'AVNCS COMPT OVHT 1 ALERT 
REMAINS DISPLAYED 


> 


PACKs 1 & 3 must remain off for remainder 
of flight. 

f G5S) 

PACK 1 ON 

/ ’AVNCS COMPT OVHT- ALERT 
\ DISPLAYED AGAIN 

| PACK 


> 


OFT 

When 'AVNCS COMPT OVHT- alert is no 
'ongar displayed, 

pack a ON 


<i. 


•AVNCS COMPT OVHT" ALERT\ 
DISP LAYED AGAIN / 

ra 

^ PACK3 OFF 

Packs 1 & 3 must remain off for 
remainder of flight. 

END} 


(END) 


Pack 1 must remain off for remainer of 
flight. 

t d© 

Pack 3 must remain off for remainder of flight. 
fEND} 


Figure 26: Quick Reference Handbook checklist, MD-1 1. 


It has been suggested here that 
though many subsystem displays, 
and some systems, have been 
considerably simplified, other 
subsystems have become more 
complex Older aircraft contained 
several hundred discrete cockpit 
alerting and warning signals (ref. 65). 
In current-technology aircraft, a smail 
area on the primary EICAS or EC AM 
screen is considered adequate for the 
presentation of all warning and 
alerting messages (though scrolling 
through such messages may be 
necessary with compound faults). 
The messages themselves are highly 
abbreviated; quick-reference hand- 
book checklists contain procedures 
for each abbreviated alerting message. 

While the number of discrete 
alerting devices has decreased 
markedly, the number of discrete 
alerting messages that may be 
displayed and may require action is 
still large, though the number of level 
3 (emergency) warnings has been 
kept as small as possible and non- 
essential warnings and alerts are 
inhibited during takeoff and final 
approach. Nonetheless, fault 
management may still be complex, 
and newer aircraft are operated by a 
crew of two instead of the former 
three persons, so there may be more 
for each crew member to do. It is 
largely for this reason that Douglas 
has automated many MD-11 
subsystems management tasks. A 
sample QRH page is shown in figure 
26. It contains the checklist to be 
followed in the event of an avionics 
compartment overheat alert. A 
manual troubleshooting procedure is 
diagrammed logically. 


Information displays: Many new information displays have been enabled bv flight 
management computers and CRT display media. At the upper left comer of fieme 21 H 
f n ho /* s f^nd^speed, ^ddirection and velocity, and an arrow also shows wind diLuon rela!we 
airplane s track. This information was previously available on the FMS alnhanumerir 
screen but the arrow provides the information in a more immediately 

sa ™ digram, a curved predictor display shows where the airp SZ S to £ 
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future if it continues in its present turn. In figure 18, a small arrow pointing downward from 
present airspeed is a trend vector, it points to the airspeed of the airplane 10 seconds hence if its 
present rate of deceleration continues. These are just a few of a large number of enhanced 
information displays made possible by automated systems in glass cockpit aircraft 

A good example of enhanced imormation displays is the use of the navigation display for 
flight plan verification. The entry of geographic waypoints into the FMS prior to departure is 
known to be an error-prone task; elaborate procedures involving the entire flight crew have been 
instituted to decrease the likelihood of errors in performing this task. Nonetheless, input errors do 
occur, are not obvious, and can be extremely serious. The destruction of a Korean Air Lines 747 
over Soviet airspace is thought to have been due in part to an INS programming error that occurred 
many hours earlier, before takeoff from Anchorage (ref. 66). In a more recent case, a Delta 747 
and a Continental DC- 10 nearly collided over the Atlantic due to an input error by the Delta crew 
before takeoff (ref. 67). 

Newer automation permits the use of the navigation display for graphic visualization of flight 
plans. An expanded range (up to 640 NM in the 747-400 and MD-11), north-up presentation of 
the flight plan enables the flight crew to detect obvious or gross errors in the waypoints they have 
inserted into the FMS. At present, no terrain or other geographic orienting features are contained 
in FMS databases, but it is expected that future electronic library systems (see below) will contain 
such features; they can be used to provide even more assistance to the crew in detecting errors in 
flight plan construction. As always, there will be the added cost of learning to manage the new 
system and of still more information availability. 

Even older aircraft incorporate a variety of more-or-less automated information displays; the 
altitude alert system discussed on p?ge 38 is an example. A manually-set digital altitude reminder 
is compared with actual barometric altitude; alerting signals indicate when the airplane approaches, 
attains or later departs from the selected altitude. 

Aircraft equipped with flight management systems but electromechanical instruments utilize a 
small monochromatic CRT display in the FMS CDU for the presentation of alphanumeric 
information derived from the FMS. These screens will undoubtedly also be used for digital data 
received by data link units in such aircraft. TCAS incorporates a planfonn display of traffic in the 
vicinity of one’s own aircraft. In some installations a dedicated CRT is used; in others, TCAS 
information may be shown on a color radrr screen, while in others, a new color display combines 
a presentation of the instantaneous vertical speed indicator (IVSI) with a small planform display of 
traffic. This instrument replaces the conventional fVSI. In nearly all glass cockpit aircraft, it is 
expected that the information will be shown on navigation and flight displays. 

Discussion of Information Automation 

The purpose of information automation in the cockpit is to enhance the flow of information to 
the flight crew. This information is necessary to permit the crew members to maintain full 
awareness of their situation. “Situation awareness” is a term in wide use, but it has been difficult 
to define at all precisely. It is thought that much of the difficulty in arriving at an acceptable 
definition may be semantic rather than substantive; like other terms of art, it may be more difficult 
to define than to understand. Saner and Woods have reviewed the literature and have suggested 
ways of delimiting the term more effectively (ref. 24). 

In situation awareness, we include the crew’s perception of the state and status of their 
airplane, its position in space, and the state of the physical and operational environment in which it 
is operating and will operate in the immediate future. Information automation, like all other aircraft 
automation, must assist the crew in main taining situation awareness. 
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simplification of the information displayed would not be appropriate during cruising flight on 
autopiiot. 


Such an approach is shown in 
figure 27, which depicts a com- 
pressed presentation of the data 
required under such circumstances. 
Research would be required to deter- 
mine whether such truncated displays 
in fact permitted performance 
equivalent to present displays under 
all conditions, and whether detection 
of anomalies was as easy as with 
present formats. The use of different 
displays in different management 
modes might reinforce pilot aware- 
ness of the operating mode. 

The primary flight display is not interactive; pilots cannot modify it, as they can the navigation 
displays, to suit their circumstances or cognitive styles. Whether this should be permitted, or is 
needed, also deserves discussion. If some degree of PFD reconfiguration or de-clutteting is to be 
implemented, should it be at pilot discretion or should it be done automatically as a function of 
flight phase or automation in use? Should a range of PFD options be available? If so, why? 

Power displays: The pilot requires continuous information about the power being 
developed by each powerpiant. and information about any anomalies in the propulsion system. Is 
more than this needed on primary power displays? Abbott and colleagues (ref. 61) have suggested 
that detection of power anomalies might be considerably enhanced by simplified displays. They 
point to the Air Honda 737 accident or, takeoff from Washington National Airport, in which, 
despite conflicting information on the various engine parameters due to icing of temperature 
probes, the takeoff was continued with engines developing much less than takeoff thrust (ref. 68). 

As noted above, raw data on 
several engine parameters is displayed 
even in highly automated aircraft. 
The Air Florida case points out the 
importance of maintaining a scan of 
ali of them, and the display shown in 
figure 22 attempts to ease this task. 
But what the pilot needs to know is 
simply the instantaneous thrust being 
developed by each engine, and 
perhaps any trends in thrust. This 
could be done by modern automation 
driving a very simple display, as 
shown diagrammatically in figure 28. 

Configuration displays and alerting systems : Much progress has been made in 
simplifying alerting and warning systems. In view of their very high reliability, it is necessary to 
consider how pilots can be kept alert to the possibility of the failure of such systems. This has 
traditionally been done by relying upon pilot knowledge as the primary tool for configuring the 
aircraft, reinforced by the use of checklists to verify completion of the required actions. The 
automated warning systems are a backup check that the most essential items have been g raded tx>. 
This approach has been extremely, though not invariably, successful, as the Detroit and Dallas 



Figure 28: A simplified display of engine thrust parameters and 
trends. Engine 4 is still accelerating but is commanded to reach 
normal takeoff thrust 



Figure 27: Simplified PFD presentation. 
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the likelihood of pilot actions that can threaten flight safety is warranted as a means of improving 
error-resistance (ref. 72). Such monitoring could appreciably decrease the 'likelihood of flight crew 
blunders such^as those which resulted in shutting down both engines of two 767s shortly after 
takeofi (ref. 52>, or the several instances in winch fuel mismanagement has resulted in all engines 
failing during flight. 


SWITCH DISPLAY 




Figure 29: Electronic display of switch position and function 


The advent of synoptic displays 
in cockpits has given rise to another 
question about the display of synoptic 
information. On such a screen, 
should a switch display indicate the 
sensed position of the switch itself, or 
of the device affected? In older 
aircraft, disagreement between 
physical switch position and the 
control actuated was usually 
indicated. This can be done on CRT 
displays by sensing and displaying 
both function (flow, pressure or 
voltage) downstream from the switch 
or valve while indicating switch 
position on the switch icon, as is 
suggested in figure 29. This 
approach would increase display 
redundancy as well. 


How much information does the pilot need under various circumstances? A variety of 
displays is used even in older aircraft, depending on how much information regarding a given 
function is, or may be, required (figure 30). The formats available are limited, though either dial 
or representations of dat 2 can be used. Each level of display has benefits and costs in terms of 
legibility, required space and weight, and mental workload necessary to assimilate the information. 


questions must always be asked: How much information is enough? How much is too 
much? Though pilots always want more information, they arc not always able to assimilate it t 0 
provide too much infonnation simply guarantees that pilots under high workload will ignore some 
of tt, and which data they will ignore under particular circumstances is not predictable. 


* 



SYSTEM 

B UNCT!ON 


QUALITATIVE QUANTITATIVE QUANTITATIVE 
DATA & TREND DATA ONLY DATA & TREND 



MORE EXACT 
DATA A TREND 


Figure 30: Amounts of infumaron presented by various electromechanical displays. 
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The glass cockpit has 
made it possible to tailor 
displays more effectively, and 
to provide alphanumeric, 
graphic or iconic represen- 
tations of data. A continuum 
of displays is again possible, 
from the simplest indication of 
overall subsystem function or 
failure, through very simple 
diagrams of system contin- 
uity, to displays of systems 
nodes and continuity, to more 
complex displays that provide 
quantitative data regarding 
these functions, as shown in 
figure 31. 
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Figure Jl. CRT displays of system information. 
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variom Sm &r /e? Ut Z matl0n: T n an automated aircraft, pilots must be able to monitor the 
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As fault-tolerant automation becomes the rule, may it become necessary to indicate degradation 
t at will not be obvious because backup channels or processors are in use? Manv of the duel 
?J-Wj SS ^ r CO ? ip ! lte ^i n currcm use do indicate to pilots that one of the two processors has 
b!f°' tl 0ugh tlie ‘“formaaon is logged in maintenance databases and, in some aircraft this 
f Fl ?r cessi0l f in or on the pound. Is this information needed by odors 0 It ran 
be a. 1 , 0 , that if manual capability exists and is the backup for a total computer failure it is oniv 

pr ° f ert Ul f pIOt when raaT5Ual operation becomes necessary, as in the MD-Ii A SC 

7r?h7t £ f I Can alS ° 56 ar g ued - howev er, that pilots should be able to ascertain that the reserve 
-apabuity oi the automation is Jess because a backup processor is in use. 

The Future of Information Automation 
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quickly when it is ne. tied. and such systems may add to the cockpit information glut. 

h?ndb^kTwfll^kn A h ,S ^ *2,* to / edLK r or eIiminale Pa^r checklists and quick reference 
Handbooks, will also be introduced in the next generation of aircraft. Depending on their 

nfK?^ L1 A GeS ’ ? eSC SyS ) CI i ns may ^cve some, or a considerable n, of the routine workload of 
pilots. A continuum of electronic checklist automation can be proposed: 


FROM . i. 
• 2 . 

• 3 . 

• 4 . 

• 5 . 


Paper checklists presently in use 

CRT depiction of data on checklist, with scrolling on command 

CRT depiction of checklist data with internal monitoring of status of items 
and auto-scrolling 

CRT depiction of checklist with automatic execution on command of flight 
crew & 

EICAS statement of checklist required or a problem, with execution of 
appropriate checklist after consent by flight crew 


6 EICAS statement of problem followed by automatic execution of checklist 
without need tor action by flight crew 

7 . Automatic checklist execution when required; subsequent status announced 
to flight crew 

8 . Fully automatic checklist execution when required; flight crew not notified 


48 


This approach is similar to that proposed by Sheridan in a discussion of task allocation and 
supervisory control (ref. 73). The approaches currently in use in the A320 and MD-11 differ 
somewhat from those described m this list, though the MD-11 utilizes option 7 for subsystem 
reco&figaranon Electronic checklists are presently under investigation by Palmer and Decani at 
ivASA-Ames Research Center (ref. /I). Whether pilot situation, or more properly state, 
awareness is enhanced by having to perform checklists is not known, though it is known that 
present practices with regard to checklist completion are by no means optimal (ref. 74). 

Air-ground digital communications: The technology for digital communications 
between ground and aircrait is already in wide use (ACARS). Mode S transponder links wiU be as 
widely used wnhin the next lew years. Satellite communications will extend high-qualitv digital 
communication to aircraft flying beyond line-of-sight range from. land. The bandwidth of 
communications Channels will increase enormously, leading to the capability to transfer much more 
information to the cockpit. 


The most important issue raised by this new capability is what information needs to be 
transferred, m what form, under what circumstances, and over what channels (voice or digital) for 
what reasons. Designers as a community need to be involved in considerations of these ciuestions 
now in order to be able to implement cockpit information management in consistent and rational 
ways and to be able to integrate infonnation automation into cockpit automation as a whole. There 
will be considerable^ pressure to utilize the additional capacity for infonnation that mav not be 
relateu to the critical tasks of the pilot, and this pressure must be resisted or channeled 'to more 
appropriate persons or systems. There is quite enough information in current cockpits, and not 
enough integration despite advances m recent years. 
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Figure 33: Interaction ot flight management computer with other aircraft avion, cs (Honeywell FMS for MD-1 1 ). 
The FMS software executes these functions: 


Navigation 


Performance 


Guidance 


Electronic instrument system 
Control-display unit 
Iaput/output 
Built-in test 
Operating system 


Automatic radio tuning, determination of position 
velocity and wind. 

i rajectory determination, definition of guidance and 
control targets, flight path predictions. 

Erroi determination lateral steering and control 
command generation. 

Computation of map and situation data for display. 

Processing of keystrokes and flight plan construction. 

Processing of received and transmitted data. 

System monitoring, self testing and record keeping. 

Executive control of the operational program 
memory management, and stored routines. 
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The* FMC performance data base reduces the need for the pilot to refer to performance manuals 
during flight; it provides speed targets and altitude guidance with which the flight control computer 
develops pitch and thrust commands. The performance data base is also used by the FMC to 
provide detailed predictions aiong the entire aircraft trajectory'. The data stored in the data base 
includes accurate airplane drag and engine model data, maximum altitudes, and maximum and 
minimum speeds. 


Functions performed by the FMS include navigation using mertiai data from inertial reference 
units aboard the airplane and a combination of radio aids where available. It provides lateral 
guidance based on a stored or manually entered flight plan, and vertical guidance and navigation 
during climb and descent based on gross weight, cost index, predicted winds at cruise ainrudes, 
and specific ATC constraints. 
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Figure 34: Honeywell FMS control and display unit, MD 1 1. 


Flight management system 
controls; Interaction with all flight 
management systems is through a 
control and display unit (CDU) which 
combines a monochromatic or color 
CRT or LCD screen with a keyboard 
An example of a CDU is shown in 
figure 34. 

The unit contains a CRT display 
screen, six line select keys on each 
side of the CRT, a brightness adjust 
knob, 15 mode select kevs, two 
annunciators on each side of the 
keyboards, an alphabetic keyboard, 
and a numeric keyboard. The mode 
select keys provide quick access to 
FMS function pages and data; the 
alphanumeric keypads permit entry of 
data into the computer. 

The newest FMSs provide a 
number of routines to minimize pilot 
workload. Among them are the 
“ENG OUT’ function, which pro- 
vides automatic or manual access to 
the flight plan (F-PLN) or 
performance (PERF) pages to assist 
in evaluating and handling an engine 
failure condition. The function 
enables FMS engine-out operation 
modes. 

Entry of data is accomplished by 
using the keypads. The entered data 
are shown on a scratchpad line (see 
below); when a line select key is 
pushed, the data are transferred to the 
indicated line if they are in a format 
acceptable to the computet. 
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or 



here is 


The CDU screen shown l3 
the one that would appear when the 
“IN IT’ mode select key is actuated. 
The title line, at top, shows that this is 
the firs? of three flight plan screens; 
the ethers may be accessed with the 
PAGE key. The scratch pad line is at 
the bottom of the display. Vertical 
arrow's indicate that the arrow kevs 
may be used to increment values. 
The small font displays are predicted, 
default or FMC-caic ulated values, and 
labels. 


The 50 CDU pages arc arranged 
in a “tree” architecture. Portions of 
the architecture arc accessed by 12 of 
the mode select keys. A portion of 
this logical, but complex, architecture 
is shown below in figure 36. 


IS) 




Figure 36: FMS mode screens, MD- 1 1. 


These diagrams show the tree 
structure for two modes of this FMS. 
There are 12 such structures. While 
each is logical within itself, studies 
have shown that the actual number of 
necessary paging sequences is much 
larger. In a study of another FMS of 
the same generation, it was found that 
the number of sequences was several 
times the number planned for by the 
manufacturer (ref. 76) These 
structures, as well as the displays, 
vary greatly among aircraft types and 
avionics manufacturers. 

This large number of potential 
trees involves a considerable atten- 
aonal demand upon the pilot, even if 
he or she is fully proficient in the use 
Oi the FMS. Since flight plan 
changes are most commonly required 
during departure and arrival, re- 
programming the FMS can divert a 
significant amount of attention that 
m<*y be needed for outside scan and 
for cross -cockpit monitoring. 





Discussion of Management Automation 

Flight management system operation: Both pilots may interact with the MD-11 FMS 
simultaneous^ however the system will accept flight plan modifications only one at a time. 
1 nere are two FMCs, each of which may accept data from either CDU; one FMC is designated as 
master, and botn must confirm data entry before new data will be accepted. The two computers 
communicate with each other through a private data bus. 

k* S i- t ^ ie J' om P lex ' t y or ' r ^ e tnodc and display architecture poses substantial operational 

issues. Much has been done to simplify routine data entry, but recovery from errors ir. 
programming can be difficult. Entry of certain types of data r -fains cumbersome and time- 
consuming and diverts attention from other flying tasks, as discuss- -1 1 -low. If an incorrect entry 
is attempted, it is rejected, but without explanation of the error that ted to the rejection as one 

t interaction with die FMS is through one of two or three identical CDUs mounted on the 
.enter console. Even 'with color to assist, operation of the FMS requires close visual attention to 
the screen, and precision m entering data on the keypads. Alphanumeric data entry is known to be 
subject to human errors: numbers may be recalled incorrectly from short-term memory 
J ost ^ ommon )- y be input incorrectly, or they may be misread when the 
! ^ enfkd in ^ scratchpad tierore entry into the computer. Some data must be entered in 

a speafic sequence which imposes additional memory load on the operator, screen prompts are not 
aiways clear, when they are available. h 

Avionics and aircraft manufacturers have made many efforts to make interaction with the FMS 
more error-resistant, standard or frequently-used routes are stored in the navigation data base and 
?Tr be Cd b> nu ™5' er - SIDs and STARs are also in the data base; if a change is required bv 
,hihr n 2 hC ndmS f °J th u e Procedure need be entered. Changing Lhe amval runway automatically 
p a , ges tbe route flight. Appropriate navigation radio frequencies are auto-tuned as required 
lr TP ortai1 ^ rawer FMSs interact directly with navigation displays: pilots are shown 
the e .Ext of a change of flight pian in graphic form. They can thus verify that an alternative flighi 
efSct reaSOnab e (thou § h not necessarily what was requested by ATC) before putting it into 

In some new aircraft, entry of tactical flighi plan modifications (speed, altitude, heading 
vertical speed) can be done through the mode control panel rather than the CDU. These entries 
may either supersede FMS data temporarily, or may be entered into the FMS directlv from the 
panel. Experience with these improvements has been limited; it is thought that they mav resolve 

some problems with tactical data entry, though pilots must keep track of more potential mode 
i n t erac tion s . r 

Vertical navigation profiles generated by the FMS take account of standard ATC altitude 
aS uf 1 aS Performance constraints, though the air traffic control system is not! 

at th.s time, able to take full advantage of the capabilities of management automation which 
calculates profues based on actual rather than best average aircraft weight. Optimal descent profiles 
will therefore differ enough' to cause sequencing problems for ATC. 

rn , ™ wer air . craf£ ’ tranua! tuning of navigation radios is possible onlv by interacting with the 
CDU. Many pilots have complained that alphanumeric entry of frequency data is more time- 

consuming and requires more prolonged attention inside the cockpit than setting the rotary selector 
knotis m older aircraft 3 

Though flight management systems Duly permit pilots to manage, rather than control their 
aircraft, the dynamic nature and increasing congestion of today’s operational environment has 
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strained the capabilities of the human-machine interface (see below). Despite this, the systems are 
extremely effective and have enabled many improvements in operational efficiency and economy. 

Flight management system displays: The greatest improvement in FMS display 
capability has been its integration with aircraft navigation displays, freeing the svstems from some 
of the constraints imposed by small alphanumeric CRTs. The addition of color to the CBU display 
(early displays were invariably monochromatic) may help, though the resolution of the coior 
displays is le.->$ and the usefulness of color in this application has not received much systematic 
study. The design of pages, however, still represents a compromise between the amount of 
a_phanumeric data per page and the number of pages necessary to enable a particular function. 

As shown above, the displays are complex and the number of pages is large. The attention 
required for re -programming has led to undesirable ad hoc procedures in the cockp r an 
appreciable number of pilots prefer not to interact with the systems below 10,000 feet during 
descent, in order not to compromise aircraft management and scan for other traffic (ref. 19,77). 
This approach permits human resources to be devoted to more important tasks, but at the cost of 
losing some of the benefits of the FMS during flight in the terminal area (such as its knowledge of 
altitude restrictions). This is clearly a problem of human-system interface design, rather than a 
problem in the design of the systems themselves. A number of research and development efforts 
are underway to improve these interfaces and specifically to make them less totally dependent on 
cumbersome alphanumeric data entry, but considerable attention to the CDU displays is also 
Wa ^ ntCd rernain important questions about the integration of these systems into the overall 

cockpit and automation design, and it is these integration issues that most need to be resolved. 

The Future of Management Automation 


Flight management systems have been brought to a highly-advanced technological state in a 
very short period of time. New systems will be able, to take advantage of new navigation aids, in 
particular satellite navigation, without appreciable further development. Future systems may 
provide further assistance to pilots by providing autotuning of communications, as well as 
navigation, radios when new communications frequencies are uplinked to aircraft by data link; this 
means of communication will also become the channel through which clearances and subsequent 
amendments are transmitted to aircraft, and may become the primary means by which pilots assent 
to or request modification of such clearances. 


It is this technology and the uses that will oe made of it that raises the most serious questions 
concerning the future of management automation. Data linked clearances will require only consent 
from puots to be entered automatically into the FMC, and acted upon thereafter. Will pilots fully 
consider the potential impact of a clearance change before accepting it? Will they be as aware of iis 
impact given the ease with which new clearances can be transferred to the FMS? Will situation 
awareness be maintained? When the airplane is being manually controlled, will the flying pilot 
whose visual attention is largely centered on the flying task, be fully aware of the changes when 
they are presented visually, rather than by voice as is the case today 9 


Pilot refusal to accept a new or amended clearance, on the other hand, will require negotiation 
oe tween the pilot and controller. How will such negotiations be conducted? Will thev be between 
aircraft and ATC computers, or will voice communications be used in such cases? If between 
computers, how will the pilots (and controllers) remain directly involved? How will intent be 
communicated between the pilots and controllers? If the negotiation process is slow or onerous, 
some pilots will be tempted to simply accept a clearance rather than argue about it, especially when 
their workload is high. Ways must be found to avoid such problems. 


Will the correctreception of uplinked data be verified with the ATC computer before the data 
are acted upon by the FMC? How will errors in automatic clearances be detected? This is a 
difficult problem under high workload conditions today: errors in clearance readbacks are. not 
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infrequently missed by controllers if indeed there is time between transmissions to read them back 
(ref. 78). Will the architecture of the new communications systems be designed to improve c.iui 
resistance? 

Error resistance could be materially improved by comparison of pilot-entered FMS data with 
clearance amendments, and by comparison of critical data in the FMC with ATC computer data to 
verify that an airplane is indeed proceeding in accordance with ATC's intentions for it. This could 
drastically decrease the large number of altitude excursions that occur in the present system (ref. 
79), and most important, could prevent many such excursions before they occur rather than 
detecting them only after they occur. Advanced ATC automation will look much farther into the 
future to detect potential conflicts and resolve them prospectively (ref. 80); if the FMC is to 
communicate with ATC computers , new methods of detecting and especially of avoiding potential 
future errors also become possible and should be considered. 

It is clear that die integration of the air and ground elements of the aviation system will proceed 
at aii accelerating rate. At this point in time, when the architecture of the more integrated system is 
being developed, all system participants should be considering how to improve system safety by 
increasing error resistance and error tolerance, both by more effective digital communication and 
by including data that can be used for error detection and mitigation. If this is not done prior to 
ATC data link system design, it will be much more difficult later. 



Figure 37: Present and future options for management of air traffic. 


Questions regarding future management automation do not relate to flight management as it is 
now accomplished, but rather to the respective roles of the humans and computers (figure 37). At 
this time, the pilot closes the flight control and management loops. The coining availability of data 
link between aircraft and air traffic computers creates the potential for other management options 
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HI: THE ENVIRONMENT OF AIRCRAFT AUTOMATION 


Introduction 

It is not sufficient to consider aircraft automation independent of the environment in which it 
exists and is used. All tools are products of the societies and technologies and individuals which 
developed them; aircraft automation likewise is a product of the environment and context within 
whiCti u was developed, and it is a too! for the people who operate and manage the aviation 
system. Aviation is somewhat different from manufacturing, however, in that the production units 
may oe both operated or controlled, and managed, by the same persons. To that extent, both 
manuax and cognitive skills are required to be. resident in the same operator, and the sharp division 

between uomg and “thinking” that characterizes Taylor's scientific management notions (ref 811 
is not present. ' 

European ESPRIT program emphasizes the “human-centered workplace”, and much 
research that, preceded it or has been done under its auspices has been motivated by sociological 
and cultural concerns (ref. 82). This is relevant in this context, because in aviation more than in 
most endeavors, the concept of social “class” is blurred. The workers, to a considerable extent 
are o the managers in flight operations and in air traffic control as well, and failure to recognize 
this d ality has brought more than a few operations to grief. Despite the best efforts of those who 
seek a clear demarcation between labor and management, pilots and controllers alike persist in 
acting m noth capacities and do not, on the whole, behave consistently as one or the other. 

In this section, we consider the context of aircraft automation: the vehicles, the physical 
environment ana the operational environment in which they fly, and the people who operate them 
All have changed considerably in recent years and will change further in the near future. To remain 
an effective resource, aircraft automation, now an essential tool for aviation system safety and 
productivity, must taxe account of these changes. * 



Figure 38: Aircraft in the future system. 
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The Aircraft 
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Indeed, the proliferation of aircraft models within a single type ar.d carrying a single type 
certificate has also posed potential problems. Daring a flight sequence pilots in some carriers may 
fiy both early (197C vintage) and just-delivered modem variants of tine same aircraft, carrying 
vastly different amounts of automation, instrumentation and other cockpit aids. The enormously 
successful Boeing 737 series., of which more than 2000 have been delivered between 1967 and the 
present, spans the entire development of advanced automation. The MD-90 carries the same type 
certificate as the original DC-9-10, first delivered in 1963, and pilots in some airlines may fly 
several of its seven models. Pilots are giver, differences training to acquaint them with the features 
of the various models, but cockpit operations may differ substantially across models, some of 
which may contain modem flight management svstems while others have onlv a simple autopilot 
and fully manual subsystems. 

The Physical Environment 


Trough aircraft have changed dramatically, they are still operated by “Mark I” humans in a 
Mark I physical environment. What has changed is the amount of pressure on airlines to 
maintain schedule regularity in the face of uncontrollable variations in weather (figure 39). The 
increase in aircraft flying hours on tighter schedules and the growing use of the ‘hub- and- spoke” 
concept of airline operations have imposed increasingly severe penalties for delays and diversions. 
A single non-amval at a hub early in the morning can affect as many as ten departures later in the 
day. Airline gates are in short supply, particularly at hubs; this again increases penalties for a late 
(or even an early) arrival. 



Figure 39: The physical hazards: thunderstorms, high terrain, snow. 

Though pilots still remain the sole arbiters of their operations when safety is threatened bv 
weather or unfavorable runway conditions, the tighter economic climate, reinforced by the demise 
of many inefficient carriers, has affected everyone in the air carrier industry. Airlines and pilots 
alike find themselves forced to operate profitably in a real world whose physical constraints have 
not changed. They have done so in part by gathering and disseminating more and better 
information about the state of the physical environment, in part by the use of automated scheduling 
and planning aids, and in part by utilizing the flexibility of the human operator, who remains the 
primary defense against operations beyond safe limits thru may be difficult to discern at the time. 
This defense has not always been effective, as was shown in a Delta Airlines L1011 accident 
following a microburst encounter at Dallas-Fort Worth (ref. 83). That they have usually been able 
to do so in the face of unrelenting pressure says a great deal about the effectiveness of airline 
training and supervision; it also says a great deal about the effectiveness of regulatory and 
certification authorities in setting reasonable but safe minimum standards for air transport 
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The Operational Environment 
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strike m 1981 forced the Federal AtSo“SffitSfti« Systen ] dunn S the strollers’ 
capacity of the national airspace svsterrr fiow co^l ^sTh, t0 n irnposc Ionian limits on the 
system was able to operate within the X ^ Pnmary means through which the 

steady increases in airca^eSfic duriS Ite ATC faciliti «- 

strike, again strained the capabilities of the airsDaces’vstoS^nnw* ** f j ainful . recover >' fr °ni the 
and increasingly automated, provided the sirafeSc ZwStf 1 0l ’ consid -rably improved 

delaj^itTSp^tnre duc^ro^a^c^^or’otl^^fclenM^^'lreiicelv^itfop^ntkns^ardel^s 
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obtaining a takeoff slot. Not so the AI'C system, which controls literally every movement of everv 
air earner airplane from gate to gate. Air traffic controllers and pilots together are the operators of 
the system; they share responsibility for safe mission completion. 

Air traffic controllers operate a largely manual air traffic control system under an extremely 
comprehensive set o t rules and procedures designed to cover virtually every eventuality that may 
arise in the conduct of flight operations. Though controllers have been freed to some extent from 
pure y procedural control of air traffic by the advent of radar and altitude-encoding transponders 
wmch provide them with three-dimensional indications of aircraft locations, constraints imoosed 
by the increasing volume of air traffic still force them to work largely by inflexible rules, a source 
of continuing annoyance both to them and to pilots who are unable, by virtue of those rules, to 
operate as et.icientiy as they would like to and as their airbeme automation would permit them to 
* he discrepancy between airborne equipment capabilities and the ability of ATC to permit the use 
of those capabilities has increased and become more obvious since the introduction of h’ghl v- 
automated aircraft with vertical navigation options. 



Figure 41: The air traffic control system. 

The inherently manual nature of air traffic control forces it to operate in a highly orderiv 
manner (figure 41). The present system is highly intolerant either of disorder or of human errof 
as was tragically demonstrated in two recent collisions between two aircraft on ran ways at Lcs 
Angeles and Detroit (ref. 84) Incident reports demonstrate that in-flight emergencies also, while 
generally' well-handled, may in turn precipitate other problems involving other aircraft (ref. 85). 
Indeed, the ability of the system to handie anomalies is largely due to the flexibility of its human 
controllers, who demonstrate great professionalism and skill in theii conduct under difficult 
circumstances. 

The FA A has embarked on a major re-equipment program to provide ATC with better tools 
with which to conduct its operations. Massive automation of the ATC system during the next two 
decades will permit the limited capacity of U.S. airspace, and particularly its heavilv-congested 
terminal areas, to be utilized to the fullest extent possible, though without new runwav capacity the 
airspace system will continue to be under severe strain into the foreseeable future. As indicated in 
the previous section, ATC automation will force drastic changes in the role of the air traffic 
controller, it may also cause major changes in the processes by which air traffic controllers and 
pilots have worked together to accomplish the mission. 

Not ail of these changes will be bad. by any means; the automated en route system should be 
able to accommodate pilot and company route preferences much more often than is now the case. 
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AERA by itself will not, however, be able to improve terminal area operations appreciably, and 
research is now underway both within FAA and NASA to assist terminal area traffic management 
by providing controllers with automated decision aids to improve arrival traffic flows ref 64,86). 
If, however, an automated ATC system inhibits the ability of controllers and pilots to work 
cooperatively to resolve problems, it will severely limit the flexibility of the system, and the loss of 
that flexibility could undo much of the benefit expected from a more automated system. 

Unfortunately, the gains in capacity from improved airspace usage will be limited at best 
without new runways or radical differences in operating methods. The social and political 
p; obiems posed by new airport construction have thus far seemed insurmountable, despite the 
g owing dependence of the public on air transport for both the conduct of its business and its 
)e sure (ref. 17). This problem is beyond the scope of this document, but the fact that it has thus 
far been insoluble is forcing aircraft to operate to tighter and tighter tolerances. Separation 
standards long considered inviolate have been relaxed in the Los Angeles and six other terminal 
areas; FAA and NASA will shortly begin to examine ways of permitting aircraft to conduct much 
more closely-spaced parallel or converging approaches to landing under instrument meteorological 
conditions (ref 87). The latter change may be enabled, in part, by new collision avoidance 
displays, along with better ground radar, but it may also require more automated operations under 
these conditions, and both changes will certainly require higher levels of vigilance and will 
probably place higher cognitive demands on pilots and controllers alike. 

It should be noted that the rules and regulations governing air transport have not been 
conclusively proven to be “safe enough” to produce an extremely safe system, though most of the 
accidents that occur are due to contravention of those rules and regulations or to errors in carrying 
them out. But we do not know how much of a margin of safety is embodied in those rules, for air 
carriers and ATC have usually operated to a standard somewhat higher than the rules require. We 
are now being forced by increasing traffic congestion to operate to the limits of the rales for air 
traffic management, and in some carefully-considered cases to relax them. This is an exercise 
fraught with peril and it must be approached with the greatest care, tempered by common sense and 
careful research and operational testing. Improvements in automation technology can help humans 
to accomplish new and more difficult tasks, but automation should not be used to increase system 
throughput beyond the limits of human capability' to operate manually in the event of automation 
failures if humans are to remain fully responsible for system safety. There is increasing evidence 
that this could be allowed to happen during the coming decade, at least in air traffic ccntro. 

The Human Operators 

In considering the context of aircraft automation, the most important facet is the human being 
who operates, controls or manages that automation in the pursuit of human and social objectives. 
Though in a previous section we made reference to improved aircraft still operated by the “Mark r 
human, this is true only in a general sense. Individual human capabilities have not changed very 
much in the short history' of aviation, but human operators, considered collectively, have changed a 
great deal, in the course of learning to design and understanding how to operate the advanced 
technology' that characterizes aviation. 

Ar. unprecedented expansion of air carrier flight operations during the 1980s, coupled with a 
decline in the number of available military pilots and changes in Federal regulations concerning 
hiring, has precluded the carriers from continuing to rely almost totally on fully-trained military 
pilots for their new entrants. Persons v/ithout military experience, often with more limited aviation 
backgrounds, have been hired in large numbers in recenr years. A large proportion has come from 
the ranks of commuter airlines, some of which have regularly experienced turnover of well over 
50% per year because of this. More women, minorities, and older persons have been permitted to 
enter the air carrier work force. The overall complexion of the air carrier pilot population is 
changing more rapidly than at any previous time in history. 
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Though this has had many effects, good and bad, it has meant that airlines can no longer 
assume a common pool of shared experience in their new pilots. They must therefore develop a 
snared adherence to their desired standards through ncw-hiie training, initial operating experience 
ana continued training in line operations. Airlines have alwavs rehed upon their captains to 
conduct much of their training, and the system has worked well, but airline expansion has also 
meant that pnots progress much more rapidly to captain status: for this reason, captains also mav 
have less experience than their counterparts of a decade ago. These factors, rapid progression 
different seats and different airplanes, and other related factors pose another threat of a 
different sort to operational safety. The NTSB has commented unfavorably on the pairing of crew 
members both with very limited experience in the aircraft being flown, in several accidents 
notably .1 Continental Airlines DC-9 takeoff accident at Denver (ref. 88) and the US Atr B-7V7 
takeoti accident at LaGuardia Airport in New York (ref 89). 

Experts solve problems quite differently from novices (ref. 90). As we train a more 
eterogeneous population of air earner pilots, we must also train problem-solving skills, a topi'' we 
have tended to take for granted in the past. In particular, it will be necessary to train at least some 
o* the new entrants in problem-sot ving under time pressure, a task for which cockpit procedures 
trainers and more capable simulators are well-suited. > 

Each of these factors makes rule-based operations a virtual necessity; the inroosition of 
standard rules and standard operating practices can do much to maintain umW operating 
standards in a diverse group of people. Bemger points out, however, that while “programs control 

exkr?aI^S^hi S1 f nS ’ ( f odei ’ s ^completeness theorem says that in any formal system there 
exists an -...decidable formu.a, and that the consistency of such a system is also undecidable (ref. 

“A LSl 1 SCS th L * de ' S H 1 , lhn f’’ effecl of automatizing behavior and derides the 

American tallacy of “the one best way” (ref. 92). 

Humans are not automata, and it was noted above that pilots, in particular, persist in behaving 
both luce operators and managers. Too much reliance on rules produces both a decrease in 
ince "5 ve over-reuar.ee or. set ber.avioral formulas in an environment in which the unexpected 
can be confidently predicted to occur. The point of this is that while standard operating procedures 
e necessary and desirable, they cannot in all circumstances be considered a substitute for what 
our British colleagues call “airmanship”: the ability to act wisely in the conduct of flight operation 
under difficult circumstances. 6 ^ 




Figure 42: Training 15 essential for uniformly effective performance. 


1 raining is expensive and time-consuming. Trainees must be pa ; d while in training time 
spent in training is lost from production, and a training staff must be maintained. Air camera have 
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1 StCpS { ° reduCe J ffainin S dmc whiJ e improving the quality of their training 
p.ograma, the FA A has recently issued a major revision of its policies regarding'trainine (ref 931 
Nonetheless, a less experienced, more diverse pilot population ii now the obiecfrfSS Suing' 
aL students must be brought to airline standards (figure 42 ). The introduction of advanced 
automation does tic: reduce training requirements; on the contrary , pilots must now ieam to operate 
very complex automation as well as the other airplane 

phots ,iave expressed concern about whether training time formerly devoted to improving 
airmanship is now diverted to training to operate automated systems and about the poss^bl- effe^s 
of this change in emphasis (refs 77 and 94). p0bSiD ‘ w eneClS 

^ iat a< * vance . d automation may be able to permit the selection as air 
: * 4 “ s r 1 ! eSi Q^alifiea persons than have been required heretofore Indeed in other 

ndustxies employing advanced automation (notably the nuclear power industry- operators without 
advanced education and experience have been the rule. In aviation, however LhSe TSZf" no 

US If * this fP? roach ’ ^ need for pilots and air traffic controller' to bnw 
intellectual as well as manual skills to their jobs has no; lessened Experimental studies have 

pil °' s “?"* missi0ns bri "S «* itair ££? Wgh Z%1 to* 

ot expressivity .social skills) and mstnimcntality. or task orientation (ref 05, One threat onsed hv 

** h may m ? C thl ^ S to ° and tSy remove f^ S th'e 
profc^ion iow oTfai fn 2 ? “ f the «*o-gra<ific«iOf. and job sa.isfac.ion A « the 
Anything™ a f P ’ ° f ' vhom would 5,iU ralher •* to a living that, doing 
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IV: ATTRIBUTES OF HUMAN-CENTERED AIRCRAFT AUTOMATION 


Introduction 

In a landmark paper ir 1980, Wiener and Curry discus: ed “Flight-Deck Automation: Promises 
and ?rob ! cras” (ref. 35). They pointed out that even at that time, the question was “not whether a 
function cart be automated, but whether it should be, due to the various human factor questions that 
are n isedF They questioned the assumption that automation con eliminate human error. They 
pointed out failures in the interaction of humans with automation and in automation itself. 

They discussed control and mon- 
itoring automation and emphasized 
the independence of these two forms 
of automation (figure 43;; "it is 
possible to have various levels of 
automation in one dimension inde- 
pendent of the other.” 

The authors then discussed 
system goals anc. design philosophies 
for control and monitoring auto- 
mation. They viggested some 
generalizations abot \ advantages and 
disadvantages of automating human- 
machine systems, and went on to 
propose some automation guidelines 
for the design ar' J use of automated 
systems in airenu 


It is worth recalling Wiener and Curry’s guidelii. s, because they foresaw many of the 
advantages and disadvantages of automation as it is used toe y. The following are abstracted from 
their guideline statements. 

Control iasks 

1 System operation should be easily interpretable by the operator to facilitate the 
detection of improper operation and to facilitate the diagnosis of malfunctions. 

2. Design the automatic system to perform the task the way the user wants it done.. .this 
may require user control of certain parameters, such as system gains (see guideline 
'0- Many users of automated systems find that the systems do not perform the 
function in the manner desired by the operator. For example, autopilots, especially 
olde.: designs,. have too much “wing waggle” for passenger comfort when tracking 
ground-based navigation stations. ..Thus, many airline pilots do not use this feature... 

3. Design the automation to prevent peak levels of task demand from becoming 
excessive... keeping task demand at reasonable levels will insure available rime for 
monitoring. 

4. ... T.e operator must be trained and motivated to use automation as an additional 
rev >urce (i.e., as a helper). 


Airro-f 


MONITOR 

FUNCTIONS 


MANUAL-4 


COMPUTER 
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• H!GH WORK1 OAD CONTROL FUNCTIONS 

• Fatigue 


Figure 43: Monitoring and control functions 
(redrawn from Wiener and Currv, 1980). 
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5 . Operators should be trained, motivated and evaluated to monitor effectively. 

c. Jf automation reduces task demands to low levels, provide meaningful duties to 
maintain operator involvement and resistance to distraction...* is extremely inSSaS 
that any additional duties be meaningful (not “make-worn" V lmportam 

7 . Allow for different operator “styles” (choice of automation) when feasible. 

8 !“le? Sy5 ’' m « !l «* iwtnsidve to different options, or 

9 ! rneims for ch “*?, n S setup Md information input to aulomatic systems 
Manj automatic system failures have been and will continui to be one™ 2 11™ 
ra.ner than hardware failures. The automatic system itself can check some),! the 

wteLpproS,riaT d;n ’ * m>r ‘ CheCkiB * K t'“P m = m ' Procedures should be pmvitfcd 

10 omyToTns^toii^^^ ° S 7 W ” " 0,kmt w ’ ,h »**»»»* «Wn*m. not 
omy to insure proper operation and setup, Dut to impart a knowledge of comet 

treatment*). ^ anonm3y detect30n) aild nialfuncticn procedures (for diagnosis and 
M onitoring tasks 

! 1 ' Mthin accep,ablc limi,s <recogni2 ' ,he effea ° f 

1 ^' ^ larm * Wlth m ? re one mode, or more than one condition that can tripper rhe 
display 02 * ' ™ 8 ' dear ' 5 ' indicaK which «ndirion is responsible for the alaSji 

1 4. The format of the alarm should indicate the degree of emergency. Multiole levels of 
urgency of the same condition may be beneficial- ^ 

I5 * «whnjq«»es and possibly training hardware...to insure that flightcrews 

j? ability ,0 

additional decade of experience and hindsight gu-oeunes with the benem of an 
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System Goals 


Befon.* considering guidelines for aircraft automation, it is wise to remind ourselves of what 
the aviatior system is aii about, to consider how and why automation is necessary and beneficial, 
and to review those aspects of automation that may need improvemenL 

Wiener and Currv (ref. 35) outlined several system golds from the viewpoint of the user 

1. To provide a flight (from pushback so docking) with infinitesimal accident 
probability. 

x,. To provide passengers with the smoothest possible flight (by weather avoidance, 
selection 01 this least turbulent altitudes, gradual turns and pitch changes, and gradual 
altitude changes). 

3 . To conduct the flight as economically as possible, minimizing flight time, ground 
delays, fuel consumption, and wear on the equipment. 

4 To minimize the effect of any flight on the ability of other aircraft to achieve the sawn* 
goals (e.g„ by cooperation with ATC in rapidly departing altitudes when cleared, 
freeing them up for other aircraft). 

5 . To provide a pleasant, safe and healthful working environment for the crew. 

We suggest a very similar list as the minimum which must be attained; we feel also that the list 
must be sufficient from the viewpoints of all involved: the manufacturer, the airline, the pilots, the 
traffic management system, and the passenger. Not all (nor indeed any) of these participants 
wilt be satisfied with every flight, but all must agree in general with the goals of the system. We 
believe these are the goals of the air transportation system: 


1 Safety: To conduct all flights, from pushback to docking, without harm to persons 
or property. 

2. Reliability: To provide reliable transportation without interference from weather or 
other variables. 

3. Economy: To conduct all flights as economically as possible. 

4. Comfort: To conduct all flights in a manner that maximizes passenger and crew 
health and comfort . 


These goals may obviously conflict; tradeoffs among them in operations as well as in design are 
often required. 

Safety has always been proclaimed by the aviation industry as its primary objective, even at 
the expense of the other goals. The Federal Aviation Act of 1958 (ref. 96) required the FAA to 
control air carrier operations to maintain “the highest level of public safety,” but even this term is 
elusive. Taken literally, it can be read to require that any step that may improve safety, no matter 
how expensive or burdensome, must be implemented. Taking a slightly less extreme approach, 
the phrase could be interpreted to mean that any step that can be proven to increase safety will be 
taken. This is fairly close to the approach that has guided the industry in the past, despite 
occasional unfortunate exceptions. Reliability, economy and comfort have 'been secondary goals 
though they are critical to the survival of this critical element of the national economy. 
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Has aircraft automation contributed to the fulfillment of these system goals? An examination 

^f r !ili; a v mcr f c ^ clc u ts by 1 rf u F nann and colleagues (ref. 9?) suggests that more highly automated 
aircraxt wave had i substantially less accidents than earlier aircraft. Ten years after their introduction, 
trio Boeing 151/167 types have been involved m only one fata; mishap (Thailand. 1991. under 
investigation), a truly remarkable record in view of the propensity of new types to accumulate most 
of their accident experience during their earliest years of operation. There have been fatal accidents 
vtnough a very small number ; involving other current-generation aircraft, but Lautmann’s finding 
olde^fee? C0ITeCt ’ U ™ y au S er wc!1 foT die future, when newer aircraft will have replaced the 

Nonetheless, the same study showed that some air carriers, nations and regions of thf* world 
operate considerably more safely than do others. As these other carriers, nations and regions 
ecome more prosperous and acquire mere advanced-technology aircraft, will their safety records 
likewise improve dramatically . The infrastructure of aviation in many areas of the world is still 
sorely lacking, and it takes more than excellent aircraft to make an excellent safety record Will 
advanced technology be able to compensate for deficient navigation aids and airports 0 Can 
automation itself make the system more error-resistant? ^ 

nronirfj^, r ' fercnCe s >' stems and map displays certainly make an aircraft less dependent on 
properly functioning navigation aids and improve position awareness, the lack of which is still 
assocm^ with u appreciable number of air carrier accidema. Will such tap. ovemems rose^er 
wi sateLite navigation systems, compensate for the greater complexity of advanced automation? 

f h j S b f en . improveci; autoland-capable automation has increased the number of 
aghts able to land at destinations obscured by very low visibility, and windshear detection devices 

^s emswti iTSkf ™)' not be apparent to pilots. Collision-avoidance 

W1 “ llk ewise P r f ovia “ additional protection against an increasingly frequent hazard. Will 
improvements in aircraft automation be able to counteract, to some extent, the delays forced by 
increasing congestion in the airspace system? Time-based (‘Tour-dimenS ” or 4-S 
navigation, a probable feature of the next generation of flight management systems will at leas 
permit us *o make most effective use of the fixed volume of airspace. 

Economy has been improved by flight management systems that can take costs into account 
m constructing flight plans, though the benefits possible from such computations havp h~n 


--- -- — --.7 — - - * * ^ w outran 10 operate on most cost-efhcient nrofiW Thk 

should be improved by ATC automation during the coming decade, as wcU as b^ti me -based 
navigation software in new flight management systems. ' me bascd 

Comfort has been improved by gust alleviation algorithms in some of the newest aircraft as 
well as by the ability of newer aircraft to fly at higher altitudes; comfort in the cockpit has also teen 
improved uy better ergonomic design. Greater flexibility enabled by ATC automation will permit 
pilots to utilize a wider range of options to achieve more comfortable flight paths 

- J kat rcspect ? w f sti11 deficient with respect to these system goals? It is not the purpose 
°L thls doc ument '° laud what has already been accomplished, but to examine what can be done to 
affect further .rnprovement, and in die introduction we suggested that further improvement is 
clearly possible. Most of our accidents can be traced to the human operators of the system and 
some can be traced to the interactions of humans with automated systems. We belie ve thaTm^re 
can be done to make aircraft automation more human-centered, but perhaps even more import^ 
we believe tnat advanced automation can be designed and used to make the svstem as a whole more 
™ t o and tolerant of human errors in the design, the implementation, and the operation^ 
Dur gU ?° e H ne s i accordingly emphasize this aspect of automation, one thafwe fhiiSc 

has received less attention m the past than it deserves. 
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Attributes of Aircraft Automation 
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We will discuss here several attributes that human-centered aircraft automation should 
possess. ->ur discussion of these attributes may seem anthropocentric, but humans are used to 
thinking m these terms. If automation is to be an effective and valued member of the cockpit 
management team, it, like the other members of the team, should possess these characteristics. 
— ach attribute is named, defined, described and discussed briefly. Our first guideline mi^ht be 
simply ihat human-centered aircraft automation should possess these attributes in proper measure. 

The reader of this section must keep in mind that these requirements are not mutually 
exclusive An automation suite that possesses some, or even many, of these attributes may still be 
a failure if they are considered in isolation aunng design, for several are interrelated. As in any 
engineering enterprise, it is necessary that the right compromise among them be sought. The onlv 
v ay to be sure that an effective compromise Has been reached is the evaluation of the total svstem 
m actual or simulated operation by a variety of puots of differing degrees of skill. Such testing is 
expensive and time-consuming; it must often be conducted late in development, under extreme 
pressure to certificate and deliver a new aircraft on time. Nevertheless, it is the only wav to prove 
the safety ana effectiveness of an automation concept. 

We are indebted to Fadden (ref. 98), who has pointed out that many of these attributes arc to 
some extent bipolar, though not truly opposites. That is, increasing the attention to certain 
attributes may require de-emphasizing others. We will discuss these attributes, shown here in the 
manner suggested by Fadden. Human-centered automation must be: 


Accountable <■ 

Predictable <- 

Comprehensible < 

Dependable < 

Error-resistant <- 


-> Subordinate 

— > Adaptable 

—> Flexible 

—> Informative 

— > Error-tolerant 


Accountable means “subject to giving...^ justifying analysis or explanation.” In older 
aircraft, automation executed actions only at the specific and immediate instruction of a human 
crew member. Advanced automation, however, is capable of more independent action (modifying 
a Climb or descent based on predetermined strategic objectives such as fuel conservation, entering 
or leaving a holamg pattern, resolving a conflict, etc.). Automated, decision-aiding or decision 
making systems, already in development for transport aircraft, will suggest or carry out courses of 
action whose rationale may not be obvious to flight crews. 



Figure 44; Accountability of automation. 
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‘tv in command must abie » request and receive a justification for such decisions 
(figure 44 ). This is a particular problem in aviation; there may not be time for the human operator 

maneuvwV) S av0£dailce ’ collision avoidance or windshear compensation 

5 automa 5 on anticipate the pilot’s request and provide advance 
(as > AS doc , s ty providing traffic advisories prior to requiring action to avoid 2 
r’n nmmS na2 ff otj its rules of operation in a particular, annunciated circumstance must be so 
tnoroug nly understood by pilots that ns actions m that case are already understood and accepted it 

toE C;, in r tCTf f £ at ex ? !anadons provided by automation be'east in terms that make sense 
the expi^anon f b aCU ° n of Such ex P lanaaon - must be appropriate to the pilot’s need for 


In th!S cSe^ SSs fell take ar-tl0r \ autonomously when certain failures occur. 

svnootic^ ti-1kne P ne^nif a it regarding the faults by examining the system 

They could reverse the actions taken, if necessary, bv reverting to 
manual operation of the reconfigured subsystem, though such action is not cncouraLdXsmnre 
autonomous systems are introduced, however, it maybe increasingly ro ES 

tra^k Oi what the airplane (or its automation! is doing, and mcreasin 2 lv diffcuh fnr th#*m 
maintain oversight of all aspects of their operation S Zy Z Iction ^e 

bipolar atmbute of accountability is subordination, to be discussed beiowf^afc^mSte'taEn 
to insure tlut this cannot ever become msubordination. The 2001 “Hal” sSnario is almost within 

18 "° ! aCC ' PaM ' ‘’“‘“M as long as EE’.JSSE 


subordinate to the human pilot or air traffic controller, who must remain in coiSLmd (figure 45). 


There are situations in which it is 
accepted that automation should 
perform tasks autonomously, as 
indicated above. More such sit- 
uations will be proposed for imple- 
mentation in the future; in particular, 
it is expected that ground proximity, 
traffic avoidance and windshear 
advisory systems will be provided 
with the means to act independently. 
Other similar situations are likely to 
be proposed in future, involving the 
interaction of aircraft and ATC. 
Should these be permitted? 

Figure 45: Subordination of automation 


Automation must be subordinate. 



ExoepS in predefined situations, it should never assume com man 
In those situations, it must be able to be countermanded easily. 


^ ave S< i? n cases in automation acted in ways not expected nor desired bv Dilots In 

liaSer i lurned toward ou£boand rather than the inbound track Sfan US 

• oth ’ a P. artlcalar automation mode permitted descent at idle thrust withom reeairi 
lo safe minimum operating altitudes. As automation becomes mote sclf-sufficienrcanahle^ 
complex, nwil! be increasingly diffl alt for pilots to remain aware of ^l acHons 

y r* r <™cult for diem to be aware of exactly , 

, . ^ .u Su , Ch a s,t “ auon wi » “" d » compromise the command" t,S! ?nd 
responsibility of the human operators, but more important, it may lead them to a oosition r.f 
extreme distrust of their automation, which could compromise the mtegrtty of the -n^ himsf 

W !5"« rc P<> TOd Pilots of highly automattffitf U^ndvTf 
What s it doing now? Why ts it doing that?” (ref. 99). These questions should nolbTneS^ ' 
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Predictable is defined as “able to be foretold on the basis of observation or experience.” It 
is an important characteristic; recent occurrences in which automation did not appear to behave 
predictably, i.e., as expected by pilots, have led to major repercussions due in large mart to 
aviators inherent distrust of things over which they do not have control. Some of these 
occurrences are cited above. Here again, the level of abstraction at which automation is explained 
or at which n provides explanations, is critical to the establishment and maintenance of trust in it’ 
the third question too often asked by pilots of automated aircraft is ‘mat’s it going to dc next?” 
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As automation becomes more 
adaptive and intelligent, it will acquire 
a wider repertoire of behaviors under 
a wider variety of circumstances. 
This will make its behavior more 
difficult for pilots to understand and 
predict, even though it may be 
operating in accordance with its 
design specifications. It will also be 
more difficult for pilots to detect 
when it is not operating properly. 

If such a system is not 
predictable, or if it does not provide 
pilots with sufficient indication? of its 
intentions, its apparently capricious 
behavior will rapidly erode die trust 
that the human wishes to place in it. 
Some automated devices in aircraft 
have simply gone unused because of 
this mistrust. Altitude capture 
modules in some high-performance 
aircraft have appeared unpredictable 
because their h i gh rate of approach to 
a selected altitude has not provided 
the pilots sufficient confidence that 
they would stop the airplane’s climb 
at the selected point, even though they 
were functioning properly — until 
disabled by the pilots in attempts to 
slow the rate of climb, which negated 
the capture function (refs. 62, 100). 

Advanced automation must be designed both to be, and to appear to be, predictable to its 
human operators (and these are not always the same thing, which is why explanations may be 
necessary) (figure 46). As noted earlier, when digital computers fail, they may do so in quite 
unpredictable ways; the difference between these failures and their normal behavior must be 
immediately apparent to the pilot 


1 

i 

Automated systems must be predictable. | 




Figure 46: Predictability of automation. 


Adaptability (discussed below) and predictability are, in a sense, opposites, in that hiehlv 
adaptive behavior is liable to be difficult to predict The behavior of the human organism which is 
characterized by a very high degree of adaptability may be difficult to predict (ref. 70) a fact that 
we constantly try to overcome by training, standard operating procedures, line and proficiency 
checks and a variety of other safeguards. This suggests the necessity for constraints on the 
adaptability of automation in a context in which the human mus. be able to monitor tire automation 
and detect either shortcomings or failures in order to compensate for its inadequate behavior. 
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AdaptMe, as used here, means “capable of being modified according to changing circum- 
stances. This characteristic is a. ready incorporated in aircraft automation: control law’s may differ 
in aixferent speed regimes; certain alerts and warnings are inhibited during takeoff, descent or 
approach; some displays are reconfigured or de-cl uttered in specific circumstances- some 
information may be unavailable either in flight or on the ground 



Figure 47: Adaptability of automation. 

£ OVi<ie ? With ' “ ra " ge ° f options for conTOl “<* ranagemcn. of .heir 
aircraft tfigure 47) Tms range of opuons is necessary to enable pilots to manage their workload 

take account of differing levels of proficiency, and compensate for fatigue, dis^ctionTHder 

act3vl£ies - In 11113 re 5 ard - automation truly acts as an additional member of the 

Lst^te^todo so 86 ” 160 ' tCam ’ aSS1£Ung Wlth or takin g over surely cenain functions when 

receiv^^iv^SR S S in°i 1S of ** olher ^butes). An incident report 

fnnm !, ■ i? 7< ? ( f 101 > described a wide-body aircraft which was turned onto final 

approach inside the final approach fix with autopilot in control wheel steering mode and 
autotluottles engaged. Dunng the flare, at 10-20 feet altitude, the airplane seemed to® W in de 

£ W3S very (14 de S^ s nose-up) and on touchdown the tail cone and aft 
fuselage contacted de runway. The autopilot had not been disengaged prior to touchdown and 
none of de crew members had noticed dat de airplane was still being guided by manual inputs 
CO t r3iri f nd m0de , 111311 3 dkect c °l umn 'to-controls mode. Some^air earners have 

S " mn8 " Wly - dc “ vmd ■ ta * “ *«» «* ™ g e of 

Itow much of a range of options is enough? At this point in time, control automation in some 
aircraft rcquires only management by exception. In an earlier section, we have asked wheder it 
would be wiser, in order to maintain pilot involvement at a high level, to require management bv 
consent with respect to consol tasks. We have also asked wheder de capability for unassisted 
manual control should be a required option (and have pointed out dat dis option is forcloSdd 

some flight phases by at least one flight control system) oseam 

Adaptability increases apparent complexity and is shown above contrasted with predictability 
to emphasize that extremely adaptable automation may be relatively unpredictable in certam 
circumstances. One of our first pnnciples of human-centered automation states that automation 
must be predictable, if tne human is to remain in command. 
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Comprehensible is “intelligible.” Many critical automation functions are now extremely 
ccmpiex, with several layers of redundancy to insure that they are fault- tolerant. Is it really 
necessary that the human operator understand how these functions are accomplished, or will 
simpler models suffice to permit humans to remain in command of the functions (figure 43)? 




Pilot's internal 
model of system 


Figure 48: Comprehensibility of automation 


It has been noted that training for advanced automated aircraft is time-consuming and 
expensive, and that much of the extra training time is spent learning about the automation. If 
simpler models that still permit reversion in the case of failures could be devised, they might result 
in training benefits. It should be remarked, however, that while automation can be used to make 
complex functions appear simpler to the pilot, the consequences of failure modes can appear highly 
unpredictable to that pilot unless the inodes are very thoroughly considered in the design phase 


Simplicity has not been named as a necessary attribute for human-centered automation, but 
it could well have been. It is vital that systems either be simple enough to be understood by human 
operators, or that a simplified construct be available to and usable by them. If a system is simple 
enough, it may not need to be automated. If it cannot be made to appear reasonably simple, the 
likelihood increases that it will be misunderstood and operated incorrectly. 


Technological progress is often equated with increased complexity. A careful examination of 
any reasonably capable video-casette recorder will support this assertion and indicate how far we 
have yet to go to make high technology intuitive and simple to operate. It is worth noting that new 

^ ~ A 1 i * - * Tr- r i ° 


technology has had to be developed to simplify the operation of VCRs and that many computer 

— i : 3 i »<i i i * « . . J “ 


V' f — - j — ****** ****** i wv/iupuiwt 

manufacturers have provided several “help” levels at which their machines can be operated. We 
have not provided this range of options in aircraft automation; perhaps we should consider doing 
so, at least in training. 
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Flexible % ‘Tractable; characterized by a ready ability to adapt to new, different, or changing 
requirements. The term is used here to characterize automation that is abie to be adapted to a 
variety of environmental, operational and human variables (figure 49). 

It was suggested immediately 
above that computer and software 
manufacturers have gone to 
considerable efforts to make their 
products simple to operate by people 
of widely differing skill levels. The 
term used by the trade is “user- 
friendly.” Though overworked, this 
term denotes a device or application 
that a wide variety of users can 
operate comfortably and effectively 
with comparatively little instruction or 
practice, surely a worthy aim for any 
human -machine system but one to 
which, thus far, too little attention has 
been paid by avionics designers. It 
would be desirable to allow pilots to 
tailor the degree of assistance they 
wish under given circumstances. 

Figure 49: Flexibility of automation. 



Advanced avionics systems now receive much of their knowledge base from periodic updates 
X f° S ° f ^ sJcs or ^ a5sett ® s - We believe they could as easily receive information regarding the 
P s for a given fhghi by the same means, and that this information could assist in tailoring the 
systems ana displays both to the preferences of specific pilots and to any limitations under which 
me puots are operating at the time (increased mimmums, etc.). The cassettes could be updated 

?f ;?r^r^fa' V aftCr CaCh fl ! r ght 1 to pr ° slde a mnnin g log, types of approaches conducted, etc. 
If improved monitoring of pilot performance becomes a pan of aircraft automation, a subset of 
monitored data stored on the cassettes after flight might also be of use to flight training departments 
in tailoring penodic training to individual pilot needs. P 

This son of flexibility might be of real assistance both to individual pilots and to companies 
> easing tne pilot s cockpit setup tasks and also by improving safety thre jgh more effective 
training. It has been observed in military studies that pilots of advanced strike aircraft rarely make 
use Oi more than a subset of the available attack modes; by limiting the options that they use, pilots 

n«P y pfo / lclRnt in lheir use - AlT transport pilots may not need to be proficient in the 

use of Jie full range of automation options, as long as they are able to get the job done effectively 
undei both normal and anomalous circumstances. The major reason for having a wide range of 
automation options is to provide flexibility for a wide range of pilots with experience that varies 
from very little to a great deal and cognitive styles that vary as widely. 

Flexibility was shown above as bipolar with comprehensibility. Give:, the tendency to an 
inverse relationship between these variables, comprehensibility must not be sacrificed for 
flexibility, because the ability ot pilots to understand their automation is central to their ability to 
maintain command. But they can I* given more help in understanding it and in manipulating ix by 
tne means used in other fields. Providing that help in recognition of differing needs and sty Ps 
among pilots can help to improve the error resistance of the total system b> permitring individual 
pilots, within die constraints imposed by flight operations, to conduct their tasks in ways that are 
most comfortable tor them y 
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Dependable, as used here, means “capable of being.. .irlie4 upon or trusted” (figure 50) In 
a cooperative human-machine system, the issue of trust becomes paramount. Pilots will not use, 
or wiil regard -with continual suspicion, any aircraft device or function that does not behave 
reliably, or that appears to behave capriciously. This distrust can become so ingrained as to nullify 
the intended purpose of the designer, i: may be wiser to omit a function entirely, even a strongly- 
desired function, rather than to provide or enable it before it car. be certified as reliable. This issue 
came up during initial implementation of GPWS. It has recently surfaced again as a result of a 
small number of apparently paradoxical resolution advisories provided by TCAS-II, leading some 
members of the community to suggest that the resolution advisory mode of the system be disabled 
until its algorithms are made fully dependable under ail circumstances. 



Figure 50: Dependability of automation. 

Another example of undependable automation was cited above, that of the localizer capture 
mechanism which occasionally directed the aircraft to turn away from, rather than toward, the 
landing runway daring the capture process. From tire pilot's viewpoint, it makes little difference 
whether such behavior is caused by the hardware, a software error, or an improperly-defined 
function; the net effect is a deterioration of trust. 

Dependability is of particular importance with respect to alerting and warning systems. We 
have observed before the problem of “false alarms” with early ground proximity warning systems 
and the tragic results due to mistrust of legitimate warnings by those systems. Unfortunately, any 
increase in the sensitivity of such a warning system will be accompanied by an increase in false 
warnings, a decrease in sensitivity will be accompanied by an increase in failures to warn when a 
warning is needed. Increasing the complexity of the algorithms to minimize false warnings while 
increasing sensitivity is accompanied by a decrease in reliability or dependability of the system. 
This dilemma exists today with regard to TCAS algorithms, already very complex, in the face of 
large numbers of “nuisance” alerts in certain congested terminal areas. 

Dependability is shown as bipolar with informativeness, discussed immediately below. If a 
system were perfectly dependable in operation, there might be no need to inform the pilot of its 
operation. Perfection is impossible to achieve, however, and the infortnaticn provided must be as 
nearly foolproof as possible, bearing in mini that each increase in information quantity makes it 
more likely that the information may be mssed, or even incorrect. Simplicity of systems breeds 
dependability; when faced with a dilemn a such as this, any system simplification that can be 
achieved will probably pay dividends. 
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h, rJ, n '' ,r "! a ‘ i A enes5 is . 5 ™P*>' »•» condition of “imparting knowledge." Our fiiat onrcipies of 
human-centered automauon state that the pilot must always have basic tafortmdon (figmi 5 7) 


Au tomation must keep the pilot informed. J 
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What is the airplane doing^ 
What \s the automation doing? 
Have i any problems?- — 




“Where am I now? 
Where do i go next* 5 • 
- When do 1 do it? 


Figure 51: Informativeness of automation. 
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can P^fh.Tth! 1 informatlon is enough? How much information is too much'’ Pilots want all thev 

^®^^^^®s^s a ^?re^we C ^y°have^ro^^^too muc^ 
(pp°?3^7Tthe SsSbTiity Splays and 

Gr^^omtTlevel^^acdve ^fwmadOTTf^TgeTOnU^pracd^now^n^e^e^^i^”^ 1 *^ 

suppression during critical flight phases); a small amount mom might 
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Error resistance: Ideally, aircraft automation should prevent the occurrence of all errors, its 
own and those of the human operators. Thus is unrealistic, but it is possible to design systems to 
oe as error-resistant as possible, both with respect to their owr. errors and those of the operator. 
Resistance is '‘an opposing or retarding force," a definition that recognizes the relative nature of the 
phenomenon. Resistance to error in automation itself involves internal testing to determine that the 
system is operating within its design and software guidelines. Resistance to human error is more 
subtle, it may involve comparison of human actions with a template of permitted actions, a 
software proscription against certain forbidden actions under sped 'led conditions, or simply clear, 
uncomplicated displays and simple, intuitive procedures to minimize the likelihood of errors. 



Figure 52: Error resistance of automaton. 


Automation of unavoidably complex procedures (such as fuel sequencing and transfer among 
a large number of widely-separated tanks to maintain an optimal center of gravity) is necessary and 
entirely appropriate provided the human is “kept in the loop'* so he or she understands what is 
going on. The system must be able to be operated by the human if the automation fails, and it must 
provide unambiguous indication that it is functioning properly. Guidance in performing complex 
tasks (and fuel balancing may be such a task) is helpful, whether it is in a qu ; ck reference 
handbook or in the form of an electronic checklist. Prompting has not been used as effectively as it 
could be in aircraft human-system interfaces. 

Questioning of critical procedures (those that irreversibly alter aircraft capabilities), cr 
requiring that critical orders be affirmed by pilots before they are executed, can ’be additiorai 
safeguards aganst errors . These queries can also be automated, either by themselves or as part of 
a procedures monitoring module which compares human actions with a model of predicted actions 
under various circumstances. Such models have been developed in research settings (ref. 102). 
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b-eou^mMrS? OWn l ° COm T a PP" endy random ’ ««P«^«abl e errors with some 

‘<cquenc> (rets. 70 and 103); it is extremely unlikely thst designers will ever be able to <wis* 

** 1 *?”■ mi bcu ’« the •« i* «Se«Mi .. pmvIdTal,^ n-an< 
• pl ° t - '■ a ' 1 d;I ? c ! Ihc ,lcl a human, or an amomarior. error has occurred Such 

. ^ ! r ng :\ m , us ce P r °viaed in enough time to permit pilots to isolate ; ie error, and a mean - n-'st 
be provided by wnuh to correct the error once it is found. Where this i not ^fbV the 
consequences of an action must be queried before the action itself is allowed to proceed ' ' * 

Error- tolerance: Since error-resistance is relative rather thar; absolute there needs to hr *, 
layered detense’ against human errors Betide building systems to resm ereors^Tn^h^" 
possible, it is necessary ard highly desirable to make systems'tolcrant of error Tolerance 
he act of allowing something” in this case, it covers the entire t anoclv ofS*. ZcZ be u S 
to insure mat wntn an er or is committed, it is not allowed to jeciudiie safe™ 


Automation must be error-tolerant 


J 







Figure 53: Error tolerance of automation. 

Nagel (ref. 42) has pointed out that “it is explicitly accepted that errors wih occur- 

l w n ?? mt< ! r the hurTiai1 crew aRd t0 detect errors as they are made ’ The aviation svsterr is 

shouW be confirmed before execution. Closing fuel valves on bo “eT/„es of a 
transport, an action that has occurred at least twtee, is almost certainly an etfor if Stome‘"ref ‘ “ 
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’ tho f *** coulcl P°^ 311 imminent threat to safety. The latter should be guarded 
against regardless of their reported frequency. (See also Rouse, reference 20.) 


Discussion of Attributes 


. ', tanCe ^ CI J°[ toleTance ^ »ot opposites, as miget be inferred from the bipolar scale 

r‘ 21 ^, e ^ 1 J lraR S ( ;‘ ^ s section; on die contrary, they are complementary in every respect 
Botn are highly desirable and necessary: many aspects of automation todav^incorpoYaie Sh 

w U f K l i° nSI ' kTabl l turth ^ ur ? rovement 15 Possible. The other attributes are more nearlv bipolar’ 
and a balance must be struck ami ng them . y ^ ’ 


/ he attnt utes we have suggested are not mutually exclusive; there is overlap among them. Our 
lb $ l .^ 1 ? nci P li:s su gg est a ro ugh prioritization where compromises are necessary. We have stated 
nf a inf« hUma f lS |, ar ^ t0 ** 10 command ’ the >' mus ? be informed. Accountability is an important facet 
, h -/ 0mUr ‘ g thC h f UI ? ajl operator, as well as an important means by which me operator can monitor 
ne function ,ng of the automation. Comprehensibility is another critical trait if the human is to 

drSa" hC ° r ShC mUSt abic to unccrstand without ambiguity what die automation is 

doing. Each of these traits is an aspect of informativeness. 


Informativeness may be interpreted to imply a system that provides information beyond the 

S5S U ?i72Sf y 10 TT K° r ^ ^ though we do not intend this imphcauon 

Sfomadon : SSL?" ? C h f Utn “°P erat ° r infor ™ d effectively of at least that minimum of 

information at all times, and mfonned in such a way that there is a very high probability that the 

information will be assimilated. In those cases where it may not be entirely clear why a system is in 
obvSus Ular StalC ’ exp anatl0n should be rcadil y available if it is not already known or fairly 


It can be argued that system dependability is degraded by the addition of more information. 

ered m pan by adding redundancy and error-checkinp. die predictability 
the system mav be degraded th^reihv r>n *k» nth*- u..Za i t ' 


*■* hjshi - # rc " ;abic ' fauit - toierant 


thi< ** ada 1 ptabiil i y “? neKibilit >' frills rather than necessities. To argue 

- f V 31 ^ ^ at humans can be made to oehave uniformly, and to a considerable extent this is 

by the enormous success of the* air transport industrl S coVb of 



° f sUf>orG ‘ nau u on has not loomed large until very recently and it should not be 
-ron.^nuous today, given that humans bear the ultimate responsibility for the safetv of flight 
operations. Respite this assertion, which is agreed to by regulators and the public alike it is 
.ought that die degree of independence of automation may be a major batde ground during the 
coming decade, as the ground element of the air transportation system is automated We ’argue 
simply that automation that bypasses the human operators will of necessity diminish Their 
involvement in and then ability to command the aviation system, which in turn will diminish their 
ability to recover from failures or compensate for inadequacies in the automated subsystems. That 
such madequacies wiU not exist or that such failures will not occur must be proven conclusively by 
automation designers be*ore tne aviation community can consider an alternative view. y y 


So a balance must be struck, where compromises are necessary, they must err on the side of 
keeping the human operator in the loop so that ne or she will be there when needed. This will be far 
easier if he or she is there all die time: if the pilot is helped to remain actively involved in normal as 

nfTr^ ^ Same statcmcm ^ n*de about die air traffic confer 

of -oinse, and about the desirability, if not the necessity, of maintaining and using voice channels 
or communication between them so that each can remain cognizant of the other’s intentions. 
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V. GUIDELINES FOR HUMAN-CF.NTERED AIRCRAFT AUTOMATION 
Introduction 

Having come this far. are there firm requirements that can be applied to all human-centred 
aLmraft automation: We believe there are. though their “firmness’ must be tempered by th- 
unpe..cci state oi our xnowiecge of human, behavior, by the compromises that are inevitable in the 
esign process, and by the constraints inherent in the aircraft certification process. In this final 
section, we win set forth certain guidelines that we believe flow from our review of oast and 
present automation and our best, guesses as to the future of this technology. 

pr - * l J s . net ; essaJ y to f remind the reader again that no attempt has been made to cover the 
engineering aspects of human factors in this document. In accordance with the call of the AT 
transport Association, we nave attempted to construct a philosophy of human -centered 
automation. One definition of philosophy is “the pursuit of wisdom/’ 'and while we mav be 

pursuing u at some considerable distance, we hope our results will further the dialogue we have 
attempteu to provoke. 

Principles of Human-Centered Automation— General Guidelines 

Kri^tT^fn h °' veve . r ’ WC Sti11 that the Principles of human-centered automation set forth 

bnefly m secuor. I constitute a reasonable foundation upon which to build We therefore reoeat 
them here as general guidelines, with some further discussion of each of them. "Page numbers in 
parentheses refer to discussions in this document. WC uuuibe.* .cic, to the Wiener and 
guidelines on pages 66 and 67.) 

• The human operator must be in command. 

fiihi n Smri of AERA 2 the automated en mute air traffic control system of the 
uturv, MITRE ^o.porauon stated unequivocally that even when die automated svstem is in 
operation Responsioility for safe operation of an aircraft remains with the pilot m 
Responsibility for separation between controlled aircraft remains with the 

W 1S P ° Wer l ° C0 ^ trci ° r dominate b - v Position; authority to command.” 

, that l* tney are to retain the responsibility for safe operation or separation of 

djcratt, pilots and controllers must retain the autnonty to command those ooerations Further 
uicre ippsars to be no appreciable argument concerning this point The issues relate to 
wheth r pilots and controllers will have the authority nectary l0 execute the responsibilities. 

« a fundamental of our concept of human-centered automation that aircraft (and 

A l .A a u exiSCS to assisl pllots controllers) in carrying out their responsibilities as 

stated above. Our reasoning is simple. Apart from die statutory' responsibility of the human 
operators Oi t ie system, automation is not infallible; like any o' her machine, it is subject to 
Sftlf??- Further, digital devices fail ^predictably, and produce unpredictable m^ifStiois 
of failures. Ihe human s responsibilities include detecting such failures, correcting their 

IhS noiSfunction? ntmUinS ^ ° peration safely until Lhe automated systems can resume 

Since automation cannot be made failure-proof, automation must not be designed in such 

**? !* Can £ubven the exer< r lse of the humai operator’s responsibilities, from which it 
follows that automation must not be used to configure the airplane or load the svstem bevond 
human capacity to control ana manage d if the automation fails. For a contrary corcept see 
the quotations trom the MITRE report on page 57, which present a considerabiv differed 
view of air traffic control automation. (See pp. 7, 12. 5T) ' re ‘ u 
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* To command effectively, ihe human operator must be involved. 

To exercise effective command of a vehicle or operation, the commander must be 
involved in the operation. Involved is “to be cHv- in’*; the commander must have an active 
role, whether that role is to control the aircraft (or traffic) directly, or to manage the human 
and/or machine resources to which control has been delegated. The pilot’s involvement, 
however, must be consistent with his or her command responsibilities; the priorities of the 
piloting tasks remain inflexible, and the pilot cannot be allowed to become pteocc pied by a 
wetter of detail. Automation can assist by providing appropriate information. 

Modem aircraft automation is extremely capable; it has made it possible for the aircraft 
commander to delegate nearly all tactical control of an operation to me machine. We believe 
that at least some of the aircraft mishaps cited herein can be traced at least in part to the human 
operators being too remote from the details of machine operation; the China Air 747 mishap 
near San Francisco is one example. We suggest that human-centered aircraft automation must 
be designed, and operated, in such a W 2 y that it does not permit the human operator to become 
too remote from operational details, by requiring of that operator meaningful and relevant 
tasks throughout the conduct of a fight. (See pp. 28,30, WC 6.) 

• To be involved, ihe human operator must be informed. 



Without information concerning the conduct of an operation, involvement becomes 
unpredictable and decisions, if they are made, approach randomness. We have suggested 
what we believe to be the minimum amount of information necessary to apprise the 
commander of the progress of a flight operation. The level of detail provided to the pilot may 
vary', but certain information elements cannot be absent if the pilot is to remain involved, and 
more important, is to remain able to resume direct control of the aircraft and operation in the 
event of automation failures. 


On the other hand, too much information concerning the conduct of the operation can be 
at least as dangerous as too little Both the content of the information made available and the 
ways in which it is presented must reinforce the essential priorities of the piloting task; in 
particular, situation awareness must be supported and reinforced at all times. (See pp. 14, 16, 
WC 13.) 


In automated aircraft, one essential information dement is > '•formation concerning the 
automation. Just as the pilot must be alert for performance decreim nts or incapacity in other 
human crew members, he or she must be alert for such decrements ii. automated, systems that 
are assisting in the conduct of the operation. This leads to the requirement that. 


♦ The human operator must be able to monitor the automated systems. 


The essence of command of automated systems is the selection and use of appropriate 
means to accomplish an objective. The pilot must be able, from information about the 
systems, to determine that system performance is, and in all likelihood will continue to be, 
appropriate to the flight situation. 


To moni:cr, or “keep track of,” automated systems, the human must have access to data 
concerning the functionality both of the hardware in those systems and of the software that 
instructs them. Because of the difficulty of verifying software while it is functioning, exist 
flight-critical automation involves either duplicate (or triplicate), or dissimilar software 
performing the same task in different processors, usually with a comparison module that 
indicates any differences in the results of the calculations performed by the two units. Some 
triplex systems conduct continuous “voting” to insure continued function; anomalous results 
in one processor lead to its exclusion from the operating system. 


m 
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In most aircraft systems to date, the human operator is informed oniy if there is a 

b f r tween oramon S * e units responsible for a particular function,' or a failure of 
ose units sufficient to disrupt or disable the performance of the funcbon In those cases the 

defaTu “ necfs^Ta^theh^ ^ ° f 1)131 fl,ncdon To abic «> *> so without 

ceia> it „s necessary' that the human operator be provided with information concerning the 

Z ,f ' h “ C “ 'Viden. from the behavtor of the a.^la^ T yf, m 

controlled. It is thus necessary that the pilot be aware both of the function (or dysfunction ' of 

the automated system, and of the results of ns laoors, on an ongoing basis i^he DUm is m 

31 WcT 5 ^ 9 , C l°oT leX aut0mated SyStems doin g whaI *ey are doing. ’(See. pp. 23, 24, 

• Automated systems must be predictable, 

airtsi-mp 3Ut ^ at f n 10 use {or not “*>• ^ pilot must be able to predict how the 

fii^hi Th v ffteted bythai automation, not only at the tune of selection but throughout the 
g . This task requires that the intent of the automated system be known and that the ~vnem 

in order " nai * 

The automated systems must also be able to monitor the human operator. 
diagrSsTd co^cno^Z^ p^o/L^ad^ system ’ dctect ? on * 

m^sEis^sm 

i s , f ' c ?, vefu - ictionin8 

detect Designing warning systems to detect failures of warning systems can be an fHdfe« 
chain, but it is necessary that we recognize the human tendency to relv un?n ^aMe^s^f rr 
and consider how much additional redundancy is required in essential' alerting systems. 

We a] so believe that information now resident in flight management anH v ^ 
computers can be used to monitor pilots more comprehend SKfiSleiv 
aitentton is gtven ,o the monitoring function. We have raffl sdSS !L2S^ 
non-ob vtous navigation data entry emtrs. some of which have 
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they were committed. This would seem to be a productive area for error-detection modules, 
and there are several others which are mentioned herein. Research should be conducted using 
accident and incident data to determine other areas ir which errors are common or have 
particularly hazardous implications, and ways should be devised to detect such errors and alert 
pilots to their presence 


The most difficult task, of course, is to monitor pilot cognitive performance and decision 
nuking. When a pilot consciously decides to do nothing, his decision cannot be differentiated 
from a failure to do something. Further, advanced automation has made the need for 
decisions and actions infrequent during cruising flight. The advent of extremely long haul 
aircraft has emphasized the problem of monitoring human alertness and functionality. This is 
the motivation for our emphasis on keeping pilots involved in a meaningful way in the 
operation. 

There is no way to make the system totally foolproof, and each additional piece of 
hardware or software has a potential decremental effect on system reliability, but as we 
pointed out in our discussions of error resistance and error tolerance, a layered defense against 
errors is essential if we are to make the system as foolproof as possible (See pp. 32, 78-79, 
WC 9.) 

• Each element of the system must have knowledge of the others’ intent. 


i 



Cross- monitoring (of machine by human, of human by machine and ultimately of human 
by human) can only be effective if the agent monitoring understands what the monitored agent 
is trying to accomplish, and in some cases, why The intentions of both the automated 
systems and the human operators must be known and communicated; this applies equally to 
the monitoring of automated systems by pilots, of aircraft by human controllers on the 
ground, and of air traffic control by human pilots in flight. Since humans are so much more 
versatile than any machine, ultimate responsibility for monitoring of human behavior rests 
upon the other humans in the system. 

Under normal circumstances, pilots communicate their intent to ATC by filing a flight 
plan, and to their FMS by inserting it into the computer or calling it up from the navigation 
data base. ATC, in turn, communicates its intent to the pilots by granting a clearance to 
proceed; data link in the near future will make this information available to the FMS as well. 
The MITRE document referred to above mentions specifically that “Information on aircraft 
flight intent can be sent from aircraft to the ATC system so that conflict prediction and 
resolution capabilities of AERA use the best data available” (ref 80). The document is silent 
with respect to communication of intent in the other direction, however, and such 
communication must be a two-way channel. 

It is when circumstances become abnormal, due either to environmental problems or to 
in-flight emergencies, that communication of intent among the various human and machine 
agents becomes less certain. ASRS and other data provide evidence of the frequency with 
which the handling of an in-flight emergency may lead to other anomalies in the system, most 
commonly involving aircraft other than those involved in the emergency. In one study, the 
handling of in-flight emergencies led in approximately one-third of cases to another problem 
(ref. 85). 

It cannot be stated with certainty from the ASRS data that communication of intent would 
have averted these secondary problems, but it seems likely that it would have prevented some 
of them. Further, the communication of intent makes it possible for all involved parties to 
work cooperatively to soive the problem. Many traffic control problems occur simply because 
pilots do not understand what the controller is trying to accomplish, and the converse is also 
true. Finally, automation (or ATC) cannot monitor pilot performance effectively unless it 
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• Control automation should be delimited in its authority. It should not be 
permitted to become insubordinate. 

Control automation should not be able to endanger an aircraft or to make a difficult 
situation worse. It should not be able to cause an overspeed, a stall, or contact with the 
ground without explicit instructions from the pilot, and possibly not then. If the pilot 
approaches safe operating limits, the automation should warn the pilot, giving him or her time 
to recognize the problem and take corrective action. 

Some current electronic engine controllers withdraw engine power to flight idle 
autonomously if an overspeed is detected, without regard to whether other engines are 
operating. This feature cannot be locked out at presert We would argue that this is 
potentially insubordinate automation. 

The pilot should not be permitted to select a potentially unsafe automatic operating mode; 
automation should either foreclose the use of such modes or should alert the pilot that they 
may be hazardous, and why. (Sec pp. 30, 71, 80, WC 4.) 

• Do not foreclose pilot authority to override normal aircraft operating limits 
when required for safe mission completion witkout truly compelling reasons for 
doing so. 

Limitations on pilot authority may leave the pilot unable to fulfil his or her responsibility 
for safety of flight. A recent ASRS incident report, one of many, underscores the need to 
preserve pilot capability to do what is necessary: an abrupt 50’ banked turn was required for 
collision avoidance in an advanced technology wide-body airplane iref. 104). There have 
been several cases in which pilots have violated legal G limits; in nearly all of these, the 
aircraft have been recovered, though with damage. These maneuvers would not have been 
possible had hard envelope limits been incorporated. We suggest that the “soft limits" 
approach represents a way to avoid limiting pilot authority while enhancing flight safety. (See 
pp. 21,29-30. 39-40, WC 7.) 

• Design control automation to be of most help during times of highest workload, 
and somewhat less help during times of lowest workload. 


Field studies of aircraft automation have suggested that it may appreciably lighten 
workload at times when it is already low, while imposing additional workload during times 
when it is already high, during climbs and particularly descents. While much of the additional 
burden relates to problems in interacting with the flight management system (see below), the 
end product of that interac tion is the control and guidance of the airplane as it moves toward its 
destination. 


Avionics manufacturers have made appreciable strides in easing this workload by 
providing lists of arrival and runway options at particular destinations, but air traffic control at 
busy terminals may utilize procedures that differ from those listed. In particular, “sidestep” 
maneuvers to alternate parallel or converging runways are a problem in this regard, especially 
if clearances are altered late in a descent. Easing such problems may require a better 
understanding by aTC of what is, and is not, reasonable to ask of a highly automated 
airplane. Given the congestion at our busiest terminals, however, ATC is likely to continue to 
seek more, rather than less, flexibility and any short-term improvements will have to be in the 
cockpit (see also management automation guidelines). 



During cruise flight at aitimde, the maintenance of pilot involvement is important (see 
above). Workload may be very low and should quite possibly be increased during long flight 
segments. {Sec pp. 17, 28, 47, WC 3. 6.) 
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Keep the flight crew involved in the operation by requiring of them meaningful 
and relevant tasks, regardless of the level of management being utilized by 


,evels ot strategic management have the potential to decrease pilot involvement 
beyond desirable limits. Control automation should not permit this degree of detachment, lest 
the pilop be unable to reenter the loop in the event of its failure. Keeping pilots involved may 
require less automation rather than more, but involvement is critical to their ability to remain in 
command of an operation. 


Much critical flight data is now accessed from lookup tables in aircraft performance data 
bases resident within the FMS. (Critical speeds for approach and landing are examples ) K it 
is necessary to be more certain that pilots are aware of these data, the designer may wish to 
consider requiring that the data be either entered manually, or verified bv the pilots before 
use. I he latter option takes less time, but may be less effecti ve. 

We have suggested that requiring management by consent rather than management by 
exception may be one way to maintain involvement, though it has also been pointed out that 
we do not yet know how to keep consent from becoming perfunctory, and this must also be 
avoided. One way to assist may be to give more attention to workload management, as i^ 
suggested in the preceding guideline. (See pp. 28-29, 65, 94, WC 6.) 


* Control automation should be designed for maximum 
toi trance. 


error resistance and error 


Both automated control systems and their associated displays should be made as error 
resistant as is feasible by designing clear, simple displays and unambiguous responses to 
commands. Thereafter, safety hazard analyses should be performed to elucidate remaining 
points at which errors can be committed. The designs should then be modified to incorporate 
the highest possible degree of error tolerance as well, by proscribing potentially hazardous 
instructions or by providing unambiguous warning of potential consequences that can emue 
from an instruction. Accident and incident data should be reviewed on an ongoing basis to 
identify lUtely human and machine deficiencies and these deficiencies should receive special 
attention m this process. 1 


Human errors, some enabled by equipment design, bring more aircraft to grief thar. any 
other » actor. Error resistant systems can protect against many of these e-ors, but it is 
necessary to give pilots authority to act contrary to normal operating practices when necessary 
ana this requires that designs also incorporate error tolerance. (See pp. 24, 56, 78-79, WC 1 


* Control automation should provide the human operator with an appropriate 
range of control and management options. 

The control and management of an airplane must be safelv accomplished by pilots whose 
abilities vary, under circumstances that vary widely. To provide effective assistance to 
whomever is flying, under whatever conditions, a degree of flexibility is required in aircraft 
automation The aircraf t control-management continuum has been discussed; problems at the 
extremes Ch this continuum have been indicated (high workload at the low end of the 
spectrum, possible decreased involvement at the high end of the spectrum) The range of 
control and management options appropriate to a given airplane must be wide enough to 
encompass the full range of pilots who may operate it, under the full range of operating 
conditions tor -which it is certificated. (See pp. 26-29, 73, WC 7, 8.) B 
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Guidelines for Human-Centered Information Automation 

It wiL have been noted that some of the guidelines above relate to information provided to the 
pilots as well as to the control of the airplane and its subsystems. It is not always possible to draw 
a clear distinction between control and information automation, for all automation involves the 
requirement to keep pilots informed. The following are suggested guidelines specifically for 
information automation. " ^ J 

The primary objective of information automation is to maintain and enhance 
situation awareness. All displays should contribute to this objective. 

We have indicated (p. 77) what we believe are the minimum elements of information 
required by pilots at all times. Many other information elements are also required in some 
«orm however (p. 16). The question is not whether these are needed, but in what form thev 
will best reinforce the pilot’s awareness of his or her situation and state. The remaining 
guidelines m this section address this issue in general terms. (See pp. 23-24, 35, 42, 43, 63.) 

“ Assume that pilots will rely on reliable automation, because they will 

Once pilots have flown an automated airplane long enough to become comfortable with it, 
they will come to know which cc ntrol and information elements can be trusted. Thereafter] 
most (though not all) pilots will become increasingly reliant upon the continued reliability of 
rnose elements and therefore less liable to be suspicious of them if they become unreliable 
r u, al rcas ° n ’ the designer must not make flight-critical information available unless it is 
reliable (and must also provide the pilot with information concerning the status of the 
automation as well as of the element controlled by that automation). 

If information is derived or processed, the designer must insure that the data from which 
it is derived is also either visible or accessible for verification. If it is not critical information 
tor a particular flight phase, make it available only on request, but insure that it remains 


Future automated decision support systems may pose a serious problem in this regard, if 
puots come over time to rely on the quality of the machine decisions. A poor decision may be 
much more difficult to detect than an aberrant subsystem operation. (See pp. 4, 37, 38-39. 
WC 15.) 


Automated systems must be comprehensible to pilots. 

As automation becomes more complex and integrated, with more potential interactions 
among modes, pilots must be assi r ted to understand the implications of those interactions 
especially to interactions which can be potentially hazardous at a critical point in flight 
Systems need to be as error resistant as possible in this respect, for the likelihood that pilots 
-nk rcmem ° er ’ such potential interactions is not high if they are not encountered frequently, 

lhe memory' burden imposed by complex automation is considerable; infrequently-used 
knowledge may not be immediately available when it is needed. (See do 21 28 04 si fs 
74-75, WC 1, 12, 14, 15.) VV ' ' ' ’ 


Alerting and warning systems should be as simple at. ' foolproof as possible. 

Warning systems for discrete failures dc> not present a particular problem; whether 
reconriguration should be autonomous remains an open question awaiting experience with the 
NfD-1 1 systems. The problem of quantitative warning system sensitivity and specificity has 
been discussed False or nuisance warnings must be kept to reasonable levels to avoid the 
unwanted behavioral effects of excessive alarms. 
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PJ^^^S pilots with more information than they need to know, we believe 
(as did Wiener and Curry) that it may be appropriate to provide pilots with trend information 
betoie a parameter reaches a level requiring action, to improve their awareness of a potentialiv 
serious situation. This serves the added purpose of increasing their trust of the automated 
monitoring systems. We have suggested some ways in which trend information might be 
provided on simplified system displays. 

TCAS provides traffic alerts with respect to traffic that may in the near future pose an 
imminent hazard, which gives pilots time to attempt visual acquisition of the traffic. An 
avoidance maneuver is advised if the traffic thereafter is assessed as a serious threat '•such 
systems increase pilot involvement, but this can pose a problem under conditions of high 
workload. ,t is possible that ‘'low’ and “high" sensitivities could be used during short and 
longer nights, or that non-critical alerts could be inhibited during flight at low altitudes a« is 
aiready done in newer aircraft. 

When warnings are provided and response, time is not critical, many pilots will attempt to 
accurately * 6 Va ~ ! ^ Jt - V warnm o- Means should be provided for them to do so quicklv and 

Warnings and alerts must be unambiguous. When common signals are used to denote 
more than one condition (as are the master caution and master warning signals), there must be 

38-3? 44 45 ° 4 g which is responsible for the alert. (See pp. 23, 25, 

Less information is generally better than more information, if it is the right 
information for a particular circumstance. 

There is no conflict between our guideline of keeping the pilot informed and the 
recognition that too much information may prevent the pilot from assimilating the most 
important information. It is a matter of understanding what the pilot needs to know at a 
particular ume cu in a particular situation. Cockpit designers have generally done a 
commendable job of providing the most important information; thev have not always done as 
well in keeping that information at the forefront of the pilot’s awareness or in reducing the 
amount of non-essential information. B 

, ^ ess information is generally better than more information, but only insofar as no critical 
element of situation awareness is neglected Selective de-cluttenng of pnmaiy flight displays 
analogous to what has been done with navigation displays, should be considered; as indicated 
in the text, more integrated PFDs are under study. See also the description of the “dark 
COnCept on P a 8 e 25 - ( See PP- 10 , 17. 26, 33, 36-37, 39, 41, 43-44. 46, 48. 49 , 77 , 

cO, o2,i 

Integration of information does not mean simply adding more elements to a 
single display. 

Integration in psychology means “the organi sation of various traits into one harmonious 
personality. An integrated display combines disparate information elements into a single 
picture that renders unnecessary many cognitive steps the pilot would otherwise have to 
perform to ootain a concept. It thus relieves the pilot of mental workload. Primary flight 
displays are not integrated; rather, they combine information previously shown on manv 
instruments on a single screen. The elements, however, are still discrete and the mental 
workload of adducing aircraft state is soil required. 

Clutter in displays is undesirable for the pilot may fail to nonce the most important 
information or may focus on less important data. It is for this reason that we have suggested 
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that fairly radical de-ci uttering of the PFD would still provide the pilot flying at cruise on 
auiopiiot with the information required to monitor the autopilot and return to the control loop 
rapidly if required. 

Subsystem displays can also be made more simple and intuitive. Again, the controlling 
variable should be what the pilot needs to know under particular circumstances. As long as ail 
information necessary to take over manual control of these systems is available when required, 
it is not necessary that other date be visible in circumstances where they are not central to the 
pilot’s tasks, though we believe that power information, perhaps in simplified form, is needed 
at all times because it is an element of flight path control. ISee pp. 34-35, 37-38, 39. 42, 44, 
47, 54-55,77, WC 12.) 

* Automation poses additional monitoring requirements; insure that pilots are 
able to monitor both the status of the automation and the status of the functions 
controlled by that automation . 

On page 46, it was asked whether displays should show the position of a switch, or the 
position of the device controlled by that switch. Should automation status be announced, as 
well as the status of the function being controlled? One can argue that it should be, by some 
means. While the “dark cockpit” concept (no annunciations as long as everything is normal) 
has distinct advantages in preventing information overload, no information can mean either 
that everything is normal or that the annunciator has failed. No information is quite different 
from negative information. In the case of subsystems, where nothing happens for long 
periods of time, pilots need some type of reassurance that the automation is still monitoring the 
systems. 

Automation can fail covertly as well as overtly, and in either case, the pilot must become, 
or be ready to become, a controller rather than a manager. To do so, he or she must know by 
some means that the automation has failed, and the condition of the controlled elements or 
functions. (See pp. 33-34, 40, 48, 82, WC 5, 9, 10.} 

• Emphasize inf or nation in accordance with its importance. 

The most important information should be most obvious and most centrally- located. 
Information relevant to aircraft control deviations, power loss or impending collisions with 
obstacles is always more important than information concerning other facets of the operation 
Symbolic information should be redundantly coded (shape, size, color, use of two or more 
sensory’ modalities) to insure that it is defected. Aud.tory (sounds) or tactile information 
displays can be used to reinforce, or in some cases to substitute for, visual information; this 
cart be particularly useful during periods of high visual workload (p. 38). 

It should be noted that a strenuous and largely successful attempt has been made to 
decrease the large number of discrete auditory warnings that were present in older cockpits. 
The use of discrete voice warnings is increasing, nowever; GPWS, TCAS and windshear 
alerts all incorporate voice signals, and an increasing number of aircraft also incorporate 
synthetic voice altitude callouts on final approach. This may be less of a potential problem as 
digital data link replaces some of the voice communications now required, but there remains 
the potential for interference among voice messages, as well as the potential for overuse of 
voice signals leading to diminished attentiveness to voice emergency messages. 

The question of tactile information transfer has been brought to the fore by the A320 
control systems (p. 23,24). The two pilot side stick controllers are not interconnected, and 
therefore do not provide information concerning control inputs from the other side of the 
cockpit. Because the airplane utilizes a load factor demand control law, pilots cannot detect 
changes in aim from control column pressures. Also, the thrust levers do not move when the 
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autothrust system changes engine power. The discussion points out that this may be 
appropriate automation and that companies flying this airplane do not manifest concern 
regarding these features, but it is also necessary to recognize that certain elements of the 
feedback previously provided to pilots are not present in this airplane. Continued scrutiny of 
« A 320 operations is needed to determine whether the absence of this feedback mode nas am 

undesirable consequences, or whether the redundancy of the information it provides in other 
aircraft is not truly necessary. (See pp. 26, 35, 45, 77, VVC 12.) 

* design automation to insure that critical junctions arc monitored as hcII as 
executed. 

Tne safety benefits of independent monitoring art indisputable. ATC radar permits 
controllers to monitor flight path control; TCAS permits pilots to monitor controller actions. 
There are functions that are not independently monitored at this time; airplane acceleration with 
respect to runway remaining dunng takeoff is one, ILS guidance during instrument 
approaches is another. A third is aircraft position on the airport surface, at most facilities. 
Monitoring of input to aircraft systems espeeme y the FMS, remains a problem despite the 
monitoring capability provided by map displays. In the flrst two esses mentioned, new 
technology will be required. In the latter case, FMS software could be provided to monitor 
as well as assist m, pilot interactions with the system. Where critical errors could compromise 
safety, independent monitoring of inputs (perhaps by downlinking of FMS data for 
comparison with ATC clearance data) should be enabled. 

It is not clear at this point in tune that airplane -to- ATC digital data link wili be used to 
confirm mat clearance data has been received and entered into the FMC correctly. Such a link 
could also be used to confirm that manually-entered flight p .; data conforms to ATC 
intentions. If such a monitoring link is not provided for, an important element of redundancy 
will have been lost (See pp. 48, 56, 78, 79, WC 9). 

• Consider the use of electronic checklists to improve error resistance and 
tolerance. 

Depending on how they are implemented, electronic checklists have the potential to 
improve error resistance, by performing checklists on command, and error tolerance, bv 
reminding pilots of checklists that need to be performed and by providing reminders of items 
no* completed. Checklist usage is known to be somewhat variable (ref. 74) and failures to 
p«ei.o:m checklists have been associated wita serious mishaps (refs. 10.il). “Sensed" 
checklists (those that verify that most or all items have Deen completed) will be more error 
tolerant than those that rely entirely on pilot confirmation of actions taken, and this mav 
suggest a desuable minimum architecture for such modules. On the other hand, data from 
recent checklist studies suggests that automated checklists may reduce pilot vigilance for 
aircraft system faults (ref. 71). (See pp. 48-49, WC 9.) ‘ 


Guidelines for Human-Centered Management Automation 

Management automation has been a remarkably successful tool in the cockpit; the development 
of air traffic automation will further improve as utility and effectiveness. It has made the aviation 
s\ stem much more error resistant, though it has also enabled new errors in the cockpit, as does any 
new equipment that must be operated by humans. We offer the following guidelines for future 
Flight management systems. 
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Management automation should make airplanes as easy to manage as they are to 

fly. 


The major problem with flight management systems is that they are often cumbersome to 
operate. Under some circumstances, it is easier to operate without them than to use them, 
with the predictable result that they are apt to be bypassed under these circumstances. This is 
a pity, for the error resistance that they bring to flight path management is, also bypassed. One 
partial solution to this problem is to improve the interfaces between system and pilot so that 
they can be manipulated more easily 

This will not be a trivial task, for it may requir establishing a different level of interface 
between the pilot and the system, one vhich involves a high-level interaction rather than the 
present point-by-pomt description of desired ends. On the other hand, data link may enable 2 
higher-level interaction and may ever require it for effective interaction with ATC, most of 
which may be through the FMS. 

Within the constraints of present-generation systems, efforts to improve system 
operability in high workload segments of flight would be most helpful to pilots, and would 
improve system safety. The problem of manually tuning navigation radio aids rapidly has 
bee" mentioned; providing alternate interfaces through which such tasks could be 
accomplished more readily is worthy of consideration. (See pp. 27-28, 29, 54, 55.) 

Flight management system interfaces must be as error tola ant as possible. 

In view of the known problems in data entry, FMS software should accomplish as much 
error trapping as is possible. Some ways of doing this have been suggested above. When 
data link is available the data entry process may be simplified, but that does not necessarily 
imply that data entry errors will be elii. inated. (See pp. 52, 53.) 

As noted earlier, CDUs wall refuse to accept incorrectly-formatted entries, but they do not 
provide feedback as to why an entry was rejected. If the computer knows, why doesn’t it tell 
the pilot? Some data entry' errors are obvious, but others may be less obvious and pilots may 
be tired or distracted by other problems. 

Future flight management system and aviation system automation must insure 
that the pilot cannot be removed from the command role. 

We have indicated our concern that increasing automation of the ATC system and 
increasing integration of the ground and airborne elements of that system have the potential to 
bypass the humans who operate and manage the system. One way to guard against this is to 
design future flight management systems so that the pilot is shown the consequ ^ces of any 
clearance before accepting it; another is to insure that the pilot must actively consent to any 
requested modification of flight plan before it is executed. A third, more difficult way is to 
make it possible for pilots to negotiate easily with ATC on specific elements of a clearance, 
such as altitude changes, rather than having to accept or reject an entire clearance or 
modification. All three, and possibly other wa " as well, may be required to keep oilots 
firmly in command of their operations. (See pp. 5 3, 54.) 

These steps will require more than simply software changes. They will require careful 
negotiations between the operating community and air traffic management system designers. 
In view of the rapidity with which the enabling technology is being pursued, the long-term 
goals and objectives of system designers and planners need to be known with precision. We 
do not believe that they have been set forth with sufficient clarity thus far, and we believe also 
that the consequences of fundamental changes in the locus of command of the system are so 
major as to require consensus before proceeding farther with system design. 
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Some Thoughts on Aircraft Automation 

What follows is some comments that need to be made but that do not seem to fit elsewhere in 
this document. They are not conclusions; rather, they are issues that need to be considered by 
designers and operators, and perhaps by the human factors research community as well. 

The use of artificial intelligence in future automation : We have made reference in 
several places in this document to the development of decision support or decision making systems 
as a future thrust in aircraft automation. Despite the promise of artificial intelligence (Al) 
technology in limited applications to date, AI remains a promise — an exciting one, but one whose 
bounds we do not yet understand. It is our belief that truly “smarf systems will find their way 
into the cockpit only slowly, and that those applications will be accepted by aircraft manufacturers 
only after protracted evaluation in less safety-critical environments. This is as it should be; the 
paramount interest in safety of all members of the aviation community requires a considerable 
degree of conservatism with respect to new and largely untested technologies. 

This, of course, suggests that cognitive systems may be a long time coming, and that the 
introduction of smart systems should initially be for the control or management of non-critical 
functions. AI systems for the management of information in electronic libraries have been 
suggested; this might be such an application. It has been implied here that decision making 
systems should probably not be adaptable, because that would decrease their predictability and the 
human operator needs automated systems that are predictable. Pilots admittedly adapt to 
inexperienced copilots who learn as they accumulate operating experience, but the pilot in 
command is liixly to be less confident of an ir animate system whose inner workings are less clear. 

In an effort to take advantage of decision support technology without foreclosing the decision 
authority of the human operators, researchers have turned to decision-aiding systems that assist 
both pilots and air traffic controllers in decision-making (refs. 64, 86. 105). These systems 
provide options to the human operator, based on understood rules, but they leave decisions about 
the use of those options in the hands of the operator. (See also p. 88.) 

The effects of automation on human operators: We have referred to the considerable 
and growing literature on human-centered workplaces, Cooley, among others, has discussed the 
problem of “deskilling” in highly automated ;v r j ments. Aviation is certainly such an 
environment, though it differs in appreciaole r- ■ „ from the usual production environment. 
Nonetheless, automation does cause behavioral ano attitudinal effects over time in those who work 
with it. Depending or how it is built and operated, these effects can range from a sense of 
growing mastery over another complex machine system across the spectrum to complacency and 
boredom in the face of tasks made routine and mechanical. 

Scientists and physicians in the Soviet Union who have worked extensively with cosmonauts 
during long missions report that under the severe confinement and other stresses inherent in such 
missions, their charges become increasingly intolerant of boring, repetitive, routine tasks, to the 
extent of severely diminished performance (ref. 106). On the other hand, they remain capable of 
being stimulated and challenged by novel, intellectually demanding tasks even after many months 
of exposure in this most difficult and constrained environment It is their belief that great care must 
be taken to insure that tasks remain challenging and stimulating. 

There is much that is boring and repetitive in die cockpit environment as well, especially in 
long haul overwater Tying. Few tasks are more soporific than watching a highly automated 
vehicle drone on for many hours, directed by three inertial navigation systems all of which agree 
within a fraction of a mile. This boredom can be compounded by fatigue during operations that 
often traverse the horns of darkness and normal sleep. Maintaining involvement in such a task, let 
alone a sense of challenge and intellectual demand, will be a real challenge to cockpit designers, but 
it must be met. Pilots are people who like challenges and have chosen aviation because it is a 
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c allenging occupation. If we are to keep them from becoming ineffective, we must design their 
asks in such a way that they can maintain their interest in them, and thus their performance of 

ammnati on 'o^ef u r re ” ^ foremost chaIlen S e facing those who design and shape the aircraft 

^] n /c he ]f ilght CntiC ? llty °f ai [f ra f t automation . We have suggested in this document that 
fw-VT C °‘lT re ‘ y ,° n rchable automatl0n There is much evidence that they do so, though 
n r, , K /e n0t bec ”l \° date ’ indjcatl0ns tha * the potentially deskilling effects of control automation 
cannot be countered by increased emphasis on manual flying for a short time before reverting to a 
ess automated aircraft type. Will this continue • > be the case in the future, as more pilots receive 
^ CXp ° Sure “ hl § hl >' automated aircraft? As automation become S P increasingly 
Sle m rh tS co f ld « rabl « experience in fully functional automated aircraft remain as 

able to manage those aircraft when the automation is degraded? Finally, will pilots most or all of 
whose ex^nence is in aircraft with highly tailored flight control systems able to convene otVr 

aircraft wluch do not provide them with the protection such systems afford? 

operator? ^e^v^ric^ ? rcV10US section ’ ^ late t0 * e effects of automation on human 
S L° an ° ther ^ ue L sDon > P erha P s more difficult to answer. In highly 

atra ’ aft ’ bow much automation should be considered essential for safe operation under 
r variety of circuinstances that may be encountered in line operations 9 At present 
certification requirements permit dispatch of such aircraft without substantial elements of the 
“f n0rmall { P; OVided - We bave indicated the reasons for this in several places We 

P llots * brought up with highly automated aircraft, will adapt as 
readily and effectively to the demands of a more manual style of operation as have their 

manu ^ aheraf ^ ° graduated t0 automation after considerable operating experience in largely 

prarired^ .°J, the aviatior ] s y stem havs motivated much of the automation we now take for 

granted, and those demands will increase, not abate, in the future. Is it prudent therefore to 

“ opera!e as effccdvdy udtho “' taporemt ,ools on which 

unoer circumstances unlikely to be encountered in line Lying. Despite thVgreat care wkh whkh 
regulatory authorities and manufacturers have approached the certification process however onlv 
a subset of conditions, failures, and pilots can be evaluated. Is thfs^ple X'S 
representative of the population of pilots and conditions that mav be encountered on ? the line 9 Does 

longser^ce? *“ ^ d ~'“ nc “ » "*** ^ «nay be exposed during 

, ^ a ? swers . to these questions are not known and may never be known conclusively given 

the redundancy in the system and the relative rarity of transport aircraft accidents In tWs 
soliloquy, our concern is simply with how little automation is enough for pilots accustomed to (and 
m die luuire perhaps accustomed only to) a great deal more. We do believe th^uestiTnSd^o 
be considered as we approach die time when highly automated aircraft supplant earlier models in 
the airline fleet We have asked repeatedly in this document how much automation is enough and 
how much may be too much. We will close by asking how little automation is enough? Is there an 
amount that is too little, given the changing demography and experience of the pilot population and 
the increasing demands of the aviation system? F dUonana 
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VI: CONCLUSION 


Humans must remain in command of flight and air traffic operations. 

Automation can assist by providing a range of management options. 

Human operators must remain involved. 

Automation can assist by providing better and more timely information. 

Human operators must be better informed. 

Automation can assist by providing explanations of its actions and intentions. 

Human operators must do a better job of anticipating problems. 

Automation can assist by monitoring trends and providing decision support. 

Human operators must understand the automation provided to them. 

Designers can assist by providing simpler, more intuitive automation. 

Human operators must manage all of their resources effectively. 

Properly designed and used, automation can be their most useful resource. 


This is human-centered automation. 


It has been suggested in this document that automation evolution to date has been largely 
technology-driven. This is clearly true, but it is a’ so unfair in one sense; designers of new aircraft 
in recent yea^ have made a determined attempt to help humans do what they may not do well in the 
press of day-to-day operations. In doing sc, they have eliminated some causes of human error, 
while enabling ethers directly associated with the new technology. 

If there has been a shortcoming of automation as implemented to this time, it is perhaps that it 
has not been sufficiently thought out in terms of the average pilot's needs during worse- than- 
average conditions on the line in an air traffic system that is not yet able to take advantage of what 
airplanes are now able to do. That is not a criticism of the designers of the automation, rather, it 
implies that a more holistic view of the aviation system is necessary. Pilots fly airplanes in a 
complex and increasingly crowded airspace environment, working with controllers who must deal 
with whatever comes their way. We have automated the simple functions; it is now up to us to 
leam to assist the humans who manage and control the aviation system, wit" the intent of further 
enhancing their performance under the most difficult circumstances we can envision. This will be 
as great a challenge as any that has confronted us. 


D. 
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APF-.NDEX: AIRCRAFT MISHAPS CITED IN THE REPORT 


Northwest Airlines DC 9-8 2, Detroit Metro Airport, Romulus, Ml, 8/16/87 (ref. 10) 

Phoenix ^e^^fan!^ 55, crashed aJmos: immediately after takeoff from run wav 3C> enroute to 
and lifted off nS? the 5*'*?* ° f L fc * 8500 ft ru " wa > 

'ight pole toa,ed i/2 utile l*yond to * 

fully 'redacted' cXfvS^^rvR, 1 *' ^"g edge flaps and leading edge slats wen: 
did™, function ^ "* aktoB Warain? ^ SKm 

for takeoff. gn e 11131 the aiT P lane was improperly configured 

to, to fl^d a SS^'extt^' T2' S 10 “* “* ^ecklis, to ensun: 

toaStTextnsto^^ 

Delta Airlines B727-232, Dallas-Fon Worth Airport, TX, S/3 1188 (ref. 11) 

City.^TlwTakeoff roll was' nSSafh^ 0 ^,?*'” from "‘""ay 1 8L enroute ,o Sal, Lake 
explosions and to airplane began to ml] 1 vitfienH- m f* n ' c I t t d |e ground to ctcw heard two 

end after ton, ^ 

tore’XjT SSSS teto! *£ ffwtX^/^®^ Ev,dm “ s “8gesto to, 

dunng to las, maintenance action. Tfds 

dxsclJ^J ™d?aST i o?to P SSff SSato?lS? ta,n,S and officer’s inadequate cockpif 
was not properly configured for takeoff ^^founri ffl mg ^u SterT1 *9 thc that the airplane 
procedural de/ciencis and taftfLfcSS 

crews vigilance in Wtad <* »* 

Aeromexico DC-10-30 over Luxembourg, 11/11/79 (ref. 12) 

con » tetS ^ti“dt Ch ?fe ^v7!r “?■ **“ fm f’ g thaI h opurmed pm^eto 
elevators and to lower fuselage ail mainttnance access d^were'^stoy ^ ° f l ’° th ° UtbOS:<i 


from 26-35’) ParaUeT^wT^ SS I^S2^kiX < “ ,U#lly 
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The flight data recorder showed that the airplane slowed to 226 kt during an autopilot climb, 
quite possibly in vertical speed mode rather than indicated airspeed mode. Buffet speed was 
calculated to be 241 kt. After initial buffet, the #3 engine was shut down and the airplane slowed 
to below stall speed. 

The NTSB found the probable cause to be failure of the flight crew to follow standard climb 
procedures and to adequately monitor the airplane’s flight instruments This resulted in the aircraft 
entering into prolongs - <tal! buffet which placed it outside the design envelope. 

Indian Airlines Airbus AJ20, Bangalore, India, 2114190 (ref. 13) 

(Official report not available) This airplane crashed short of the runway during an approach to 
land in good weather, killing 94 of 146 persons aboard including the pilots. The best available 
data indicate that the airplane had descended at idle power in the “idle open descent” mode untii 
shortly before the accident, when an attempt was made to recover by adding power but too late to 
permit engine spool-up prior to impact. The airplane was being flown by a Captain undergoing a 
route check by a check airman. 

The crew allowed the speed to decrease to 25 kt below the nominal approach speed late in the 
descent The recovery from this condition was started at an altitude of only 140 ft, while flying at 
minimum speed and maximum angle of attack. The check captain noted that the flight director 
should be off, and the trainee responded that it was off. The check captain corrected him by 
stating, “But you did not put off mine.” If either flight director is engaged, the selected autothrust 
mode will remain operative, in this case, the idle open descent mode. The alpha floor mode was 
automatically activated by the declining speed and increasing angle of attack; it caused the 
autothrust system to advance the power, but this occurred too late for recovery to be affected 
before the airplane impacted the ground. 

China Airlines B747-SF, 300 miles northwest of San Francisco, 2/19/35 (ref. 14) 

The airplane, flying at 41,000 ft f .iroute to Los Angeles from Taipei, suffered an inflight upset 
after an uneventful flight. The airplane was on autopilot when the #4 engine lost power. During 
attempts to relight the engine, the airplane rolled to the right, nosed over and began an 
uncontrollable descent. The Captain was unable to restore the airplane to stable flight until it had 
descended to 9500 ft. 

The auto ilot was operating in the performance management system (PMS) mode for pitch 
guidance and altitude hold. Roll commands were provided by the INS, which uses only the 
ailerons and spoilers for lateral control; rudder and rudder trim are not used. In light turbulence, 
that airspeed began to fluctuate; the PMS followed the fluctuations and retarded the throttles when 
airspeed increased. As the airplane slowed, the PMS moved the throttles forward; engines 1, 2 
and 3 accelerated but #4 did not. The flight engineer moved the #4 throttle forward but without 
effect. The INS caused the autopilot to hold the left wing down since it could not correct with 
rudder. The airplane decelerated due to the lack of power. After attempting to correct the situation 
with autopilot, the Captain disengaged the autopilot at which time the airplane rolled to us right, 
yawed, then entered a steep descent in cloud, during which it exceeded maximum operating sp*. ed. 
It was extensively damaged during the descent and recovery; the landing gear deployed, 10-1 1 ft of 
the left horizontal stabilizer was tom off and the no. 1 hydraulic system lines were severed. The 
right stabilizer and 3/4 of the right outboard elevator were missing when the airplane landed; the 
wings were also bent upward. 

The NTSB determined that the probable cause was the Captain’s preoccupation with an 
inflight malfunction and his failure to monitor properly the airplane’s flight instruments which 
resulted in his losing control of the airplane. Contributing to die accident was the Captain’s 


c^Jove^n^skied the'annmaHV 1 * l0$S ° f ° n ** tn ^ c ^ Board noted that the autopilot 
enecnvely masked the approaching onset of loss of control of the airplane. * 

Scandinavian Airline s DC-10-30, J. F. Kennedy Airport. NY. 2128/84 mi. 15) 

slopped on the ninway. It was steered to the right and came to rest in water 6<M ft from 
Sd'"he mnwl/^ef tojortes durme ' vacuano » ^ weather was vety 

(dte High, crew was nj, requtred to ^‘Z™* 

issi€^ssHsss=i 

indications, tite fas, -slow indicati^l^^^ 

— ~ szttssxi xSSSS 

United Airlines DC-10-10. Sioux City, 1A, 7/19/89 (ref. 25) 

sSSS'Sar^s^WESs: 

scsK^S^^"*^a=?es 

United Airlines B-747-122, Honolulu, HI, 2/24/89 (ref. 26) 

The airplane returned to Honolulu and landed safelv after a carpn Hnnr • n- u 

=«t: 

K« s KiX^ n ,S^^ ^ shut “o*" 3 J 

was ascribed to the flight oe^, tSch eftc^fyl 
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Aloha Airlines B-737-260 near Maui, Hawaii, 4/28188 (ref. 27) 

Ti e *irplane experienced an explosive decompression due to a structural failure of the forward 
fuselage at 24,000 ft while enroute from Hilo to Honolulu. Approximately 18 ft of cabin skin and 
structure aft of the cabin entrance door and above the passenger floorline separated from the 
airplane during flight. One flight attendant was swept overboard: eight persons received serious 
injuries. The airplane landed safely. 

The NTSB found the probable cause to be failure to detect the presence of significant 
disbonding and fatig^- damage of the fuselage of an old airplane. This accident prompted a very 
major study of the ‘aging aircraft” problem by operators, aircraft manufacturers, the FAA and 
NASA. Major changes in inspection and maintenance procedures have resulted. 

Aircraft Separation Incidents at Atlanta Mansfield Airport, 10/7/80 (ref. 28) 

This episode involved several conflicts among aircraf t operating under the direction of air 
traffic control in the Atlanta terminal area. In at least two cases, evasive action was required to 
avoid collisions. The conflicts were caused by ’..ultiple failures of coordination and execution by 
several controllers during a very busy period. 

The NTSB found that the near collisions were the result of inept traffic handling by control 
personnel. This ineptness was due in part to inadequacies in training, procedural deficiencies, and 
S i? n ^ difficulties imposed by the physical layout of the control room. The Board also found that 
the design of die low altitude/conflict alert system contributed to the controller’s not recognizing the 
conflicts. The report stated that, “The flashing visual conflict alert is not conspicuous when the 
data tag is also flashing in the handoff status. The low altitude warning and conflict alerts utilize 
the same audio signal which is audible to all control room personnel rather than being restricted to 
only those immediately concerned with the aircraft. This results in a ‘cry wolf syndrome in which 
controllers are psychologically conditioned to disregard the alarms.” 

Eastern Air Lines L-1011, Miami , FL, 12/29/72 (ref. 31) 


The airplane crashed in the Everglades at night after an undetected autopilot disconnect The 
airplane was flying at 2000 ft after a missed approach at Miami because of a suspected landing gear 
malfunction. Three flight crewmembers and a jump seat occupant became immersed in diagnosing 
the malfunction. The accident caused 99 fatalities among the 176 persons on board. 

The NTSB believed that the airplane was being flown on manual throttle with the autopilot in 
ontrol wheel steering mode, and that the altitude hold function was disengaged by light force on 
ie wheel. The crew, did not hear the altitude alert departing 2000 ft and did not monitor the flight 
istruments until the final seconds before impact. It found the probable cause to be the crew’s 
failure to monitor the flight instruments for thw final 4 minutes of the flight and to detect an 
unexpected descent soon enough to prevent impact with the ground. The Captain failed to assure 
that a pilot was monitoring the progress of the aircraft at all times. The Board discussed 
ovemehance on automatic equipment in its report and pointed out the need for procedures to offset 
the effect of distractions such as the malfunction during this flight (ref. 31, p. 21). 

United Airlines DC-8-61, Portland, OR, 12/28/78 (ref. 32) 

This airplane, flight 173, crashed into a wooded area during an approach to Portland 
International Airport. The airplane had delayed southeast of the airport for about an hour while the 
r ght crew coped with a landing gear malfunction and prepared its passengers for a possible 
-rency landing. After failure of all four engines due to fuel exhaustion, the airplane crashed 
a< 5 miles southeast of the airport, with a loss of 10 persons and injuries to 23. 
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and .?^nd plZriy ^oT.ot'Lef^a^ Mure £ ^ C*"*" 10 monilOT «•* «*l «a* 
His mailcmioti ^'S mber advis ?? es "» f “" ««e. 

Pan Amerkan B - U7 md KLM B-747, Santa Cruz de Tenerife, 3127177 („f , 33) 

minutes later with instructions to leave the runwav^wl ™ ™J w ? y 30 ‘ PaT1 Am followed about 6 
end. A few minutes later after a f . sp t tlfied ^way enroute to the departure 

clearance, the KLM aircraft ’began ite takeoff ran *? we t£ ut wlthout specific takeoff 

tower was requesting Pan Am to renon announcul 8’ We »« now at takeoff,” as the 

we’ll report when wf re dear ’MuTtbSore in Pan Am responded, ‘‘OK, 

574 fatalities araong dte 644 persons SlSJd<SJ|iSS M,h P “ ^ — 

witho^cfeata^cefdid^not’^jev^ii^tn^M.’c^’ f’na 3 ^’ 1 *' KLM ^P 131 " ,ook off 

learning Pan American was still on rt” runw« and IJ 0 ' his ^off on 

regarding Pan Am’s position, affirmed tha?Pan Am hid iJ^kL hlS n ’ g t hl engineer's query 

Captain was an extremely experienced fliahr mcwto runwa > r " II was noted that the 

some time; the first officer had limited 747 flightTxpen^ce The KLM^ UCh rOUte flying in 
duty time limits: to have delayed would hav? r^ IS l Th K1 r M crew was very near its 
Tenerife overnight. y ° Uld have rec l uired the crew and passengers to remain in 

Delta Air Lines DC9-3I, Boston, MA, 7/31/73 (ref. 36) 

landing aftera flightfr'om B uriSJ^ duri ?8 an approach for 

impact was 165 ft right of the runwav 4R J^Sti » ^ ,g £L 8 ? p ^ rsons 00 board. The point of 
threshold. The weather was sky obscured, 400 ft ceiling, ' visibility M^^uffo^ ™ Way 

data;?don^s^tlftng 2 ” Se^xfaLSe 3 ^^ mbcr . had state ^ “You better go to raw 
approach due to visibility Mow 4 °TT1 ^ mad " a "*** 
Northeast Airlines to a Delta Air Lines confiSuratior i^Am”/ S??"? h w , been convened from a 
director had been replaced with a Sperrv devl^iWh^Hhi. 19 ' 3 ’ 3 which ? me ^ Co^s flight 
deficiencies since that time The flight dimrtnr m a nurnerous v^nteups for mechanical 
for tire ti,o presenJo ^as % H, page 20 

were former Northeast Airlines pilots If the crew g ^ fil S h t director. The crew 

which reauired only a slight extra motion of t beCn °P eratin g ln go-around mode, 
have re ciived spring H XT^£S££^iS rfft ”»*? WOuld 
altitude callouts were not made during the approach y ’ d f ILS guidance - Required 

passage toough’^cUron’e^ht' dISng ^nnaWta^aTO'oa^h'”"' 10 '' a ,f 1 m>e and its 
tne fiigti, crews preoccu F aaoa w,ti, q tiestiOtiabie le 'fl®® 
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The Board commented that, “An accumulation of discrepancies, none critical (in themselves), 
can rapidly deteriorate, without positive flight management, into a high-risk situation... the first 
officer, who was flying, was preoccupied with the information presented by his flight director 
system, to the detriment of his attention to altitude, heading and airspeed control...” 

Swift Aire Aerospatiale Nord 262, Marina Del Rey, CA, 3110/79 (ref. 37) 

This commuter aircraft was taking off at dusk from Los Angeles enroute to Santa Maria, CA, 
when a crewmember transmitted “Emergency, going down” on tower frequency . Witnesses stated 
that the right propeller was slowing as the airplane passed the far end of the runway: popping 
sounds were heard as it passed the shoreline. The airplane turned north parallel to the shoreline, 
descended, ditched smoothly in shallow water, and sank immediately. The cockpit partially 
separated from the fuselage at impact. The accident was fatal to the two crewmembers and one 
passenger. 

The flaps were set at 35’, the right propeller was fully feathered and the left propeller was in 
flight fine position. It was found that the right propeller pitot pressure line had failed; the line was 
deteriorated and would have been susceptible to spontaneous rupture or a leak. The left engine fuel 
valve was closed (it is throttle-actuated). Once the fuel valve has been closed, the engine’s 
propeller must be feathered and a normal engine start initiated to reopen the valve. The aircraft 
operating manual did not state this and the pilots did not know it. 

The NTSB found that the right engine had autofeathered when the pitot pressure line had 
failed; the pilots shut down the left engine shortly thereafter, probably due to improper 
identification of the engine that had failed. Their attempts to restart the good engine were 
unsuccessful because of their unawareness of the proper starting sequence after a fuel valve has 
been closed. Engine failure procedures were revised following this accident 

Air France Airbus A320 , Mulhouse-Habscheim, France, 6/26/88 (ref. 44) 

This airplane crashed into tall trees following a very slow, very low' altitude flyover at a 
general aviation airfield during an air show. Three of 136 persons aboard the aircraft were killed; 
36 were injured. The Captain, an experienced A320 check pilot, was demonstrating the slow- 
speed maneuverability of the then-new airplane. 

The French Commission of Inquiry found that the flyover was conducted at an altitude lower 
than the minimum of 170 ft specified by regulations and considerably lower than the intended 100 
ft altitude level pass briefed to the crew by the captain prior to flight. It stated that, “The training 
given to the pilots emphasized all the protections from which the A320 benefits with respect to its 
lift which could have given them the feeling, which indeed is justified, of increased 
safety...However, emphasis was perhaps not sufficiently placed on the fact that, if the (angle of 
attack) limit cannot be exceeded, it nevertheless exists and still affects the performance.” The 
Commission noted that automatic go-around protection had been inhibited and that this decision 
was compatible with the Captain’s objective of maintaining 100 ft. In effect, below 100 ft, this 
protection was, not active. 

The Commission attributed the cause of the accident to the very low flyover height, very slow 
and reducing speed, engine power at flight idle, and a late application of go-around power. It 
commented on insufficient flight preparation, inadequate task sharing in the cockpit, and possible 
overconfidence because of the envelope protection features of the A320. 
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Delta Air Lines B-767, Los Angeles, CA, 6/30/37 (ref. 52) 

^SSS^aS'SsBS'a^sss.- 

engines wiihin one minute after an 

conTOI swiKhes on te •W 

WmfcglSSfc £g&5 SS*“ directi « - installation of a 

United Airlines B-767 , San Francisco, CA, 3/31/86 (ref. 52) 

lost ^fi5T5Kte£ *, r San Fra " cisco whCT -Sines 

they intended to engage the EEC. as in the indtodSd te3td“ aS^' '° "* ' nglnCS wh ' n 
Delta Air Lines L-1011, Los Angeles, CA, 4/12/77 (ref. 63) 

ewq k f ele J a f r J aiI f ied in the m “P position 

airplane by any nonnal or T^ndSd themselv « unab ^ to control the 
difficulty, to restore a limited degree of Ditch and ™n HnS ' wcre ab ^ e * a ^ ter considerable 

three engines. LW SS lS COn f° 1 ** ™8 differential power on the 
maintain directional control, and verifying nerfoma^ of Ch t nd win 8. en 8 ines differentially to 
during an emergency approach to Los AncUi^c -h at each successive configuration change 

and without damage to the aircraft or injuty m ii' “ limdin 8 the ai T ,lan<: safely 
Korean Air tines B-747 over Sakhalin Island, USSR, 911183 (ref. 66) 

afterlJ l sMyet^nt^^)OTbi^e^a^ C erco e u^ftTim^An 1I h tC> air “ *** frora * S ov,e, fighter 
had twice violated Soviet airspace during its flight Th^frt’hf^ 10 S °f u1, Korea ^e airplane 
were not recovered from thT 2a Thc and cockpit voice recorders 

Organization, it was believed that its aberrant fUsht nlthT d^ C In ^ rnations J Civil Aviation 
tncomte. sets of waypoints loaded into the INS sysrctos pnor to de^i fiom teto^e” 

^“61)" U " eS L - IOUIC <"“^ntal Airlines B-747 over Atlantic Ocean, 7,8/87 

airplane Strayed'S) ^™f^s\^^d^2lk 'rout’e ' ” Tht AlJ anat ocean after the Delta 

other aircraft but not, apparently, by 8 the Ddta crew was^lieve^m h * hlcb was observcd b >' 
uicorrectly Inserted waypomt in the E&«a ' b “ n CaU$ed by 30 

Air Florida B-737, Washington National Airport, DC, 1/13/82 (ref. 68) 

from wL^n So^,^ ahonly afttr taheoff 

atrplane had been de-iced 1 hour beta depanum, 
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s l * nce operation before it reached takeoff position. The engines developed substantially less 
than takeoff power during the takeoff and thereafter due to incorrect setting of takeoff power by the 
piiOts. It was believed that the differential pressure probes in the engine were iced over, providing 
qn incorrect (too high) EGT indication in the cockpit. This should have been detected by 
p'.? miration of the other engine instruments, but was not perceived by the captair flying. 

The NTSB found that the probable cause of the accident was the flieht crew’s failure to use 
engine ar.D-ice dunng ground operation and takeoff, their decision to take off with snow/ice on tne 
airfoils, and the captain s failure to reject the takeoff at an early stage when his attention was called 
to anomalous engine instrument readings. Contributing factors included the prolonged ground 
delay after deicing, the known mherent pitching characteristics of the B-737 when the wing leading 
edges are contaminated, and the limited experience of the flight crew in jet transport winter 


Delta Air Lines L-10U-385-1, Dallas-Fon Worth Airport, TX, 8/2/85 (ref. 83) 

This airplane crashed during an approach to landing on runway 17L. TOle passing through a 
ram shaft beneath a thunderstorm, the flight encountered a microburst which the pilot was unable 
to traverse successfully. The airplane struck the ground 6300 ft north of the runwav The accident 
was fatal to 1 34 persons; 29 survived. ‘ 

The NTSB found the probable cause to be the flight crew’s decision to initiate and continue 
the approach into a cumulo-nimbus cloud which they had observed to contain visible lightning a 
lack of specific guidance, procedures and training for avoidance and escape from low-altitude wind 
shear, and lack of definitive, real-time wind shear hazard information. 

Northwest Airlines B-727 and DC -9, Detroit Metro Airport, MI, 12/3/90 (ref. 84) 

These two aircraft collided while the 727 was taking off and the DC-9 was lost on the airport 
in severely restricted visibility. Both aircraft were on the ground. The accident site was not visible 
trom the tower due to tog; ASDE was not available. The investigation is not complete at this time. 

US Air B-737 and Skywest Fairchild Metro, Los Angeles, CA, 2/1/91 (ref. 84) 

This accident occurred after the US Air airplane was cleared to land on runwav 24L at Lo 
Angeles whde the Commuter Metro was positioned on the runway at an intersection awaiting 
takeoff clearance. There were 34 fatalities and 67 survivors in tlic two aircraft. The Metro mav not 
have been easily visible from the control tower, airport surface detection radar equipment (ASDE) 
was available but was being used for surveillance of the south side of the airport. The controller 
was very busy just prior to the time of the accident. 


The NTSB investigation of this accident is underway at this time, but it is reported that the 
controller cleared the Metro ir.o position at an intersection on runwav 24L, 2400 ft from the 
threshold, two minutes before the accident. One minute later, the 737 was given a clearance to 
land on runway 24L. It is believed that the stroboscopic anti-collision lights on the Metro were r.ot 
operating at the time of the crash, as it had not yet received its takeoff clearance. 

Continental Airlines DC9-14, Denver, CO, 11/15187 (ref, 88) 


This airplane crashed immediately after takeoff on runway 35L enroute from Denver to Boise 
ID. The weather was sky obscured, ceding 300 ft, visibility 3/8 mile in moderate snow and fog’ 
winds from 030 at 10 kt, gusting to 18 kt, runway 35L visual range 2200 ft. The airplane had 
been de-iced 2/ min before takeoff. It rotated rapidly and crashed immediately after leaving the 
ground. There were 28 fatalities; 54 persons survived. 


During the investigation, it was found that the flight had not requested taxi clearance and the 
tower was unaware of its taxi to the de-icing pad. The Captain’s experience in the airplane was 
limited (133 hr DC9, 33 as a DC9 Captain); the first officer, who made the takeoff, had onlv 36 
-lours of jet and DC9 expenent t, and had been off duty for 24 days before this flight. 

fhe NTSB lound the probable cause to be the Captain’s failure to have the aircraft de-iced a 
second time after a delay that led to upper wing surface coma: tination and loss of control during a 
rap»d takeoff rotation by me first officer. Contributing causes were the absence of regulatory or 
management controls governing operations b\ newly qualified flight crewmembers. The Board 
questioned the Captain s decision not to have the airplane de-iced a second time and to permit the 
inexperienced first officer to make the takeoff under difficult weather conditions. It commented 

“Pairing of pilots with limned experience in their respective positions can, when combir -d 
with other factors, such as adverse weather, be unsafe and is not acceptable,'’ and made 
recommendations to avoid such pairings. 

VS Air B-737-400, LaG, ardia Airport, Flushing, NY, 9120189 (ref. 89) 

This airplane crashed into a pier past the departure end of runway 3 1 during takeoff enroute to 
Charlotte, NC. Two passengers suffered fatal injuries. As the first officer began the takeoff roll, 

, t£lt the airplane drift to the left. The Captain used nosewheel steering to correct the drift. As .he 
taxeofl run progressed, the crew heard a “bang” and a continual rumbling noise. The Captain then 
took over control and rejected the takeoff but was unable to stop the airplane before running off the 
end of the runway into Boweiy Bay. 


The NTSB found the probable cause of the accident to be the Captain’s failure to exercise 
command authority in a timely manner to reject the takeoff or to take sufficient control to continue 
the takeoff, which was initiated with a mistrimmed rudder Also causal was the Captain’s railure 
to detect the mistrimmed redder before rhe takeoff roll was attempted. 

The Board noted that the takeoff configuration warning system does not include an alarm for a 
imstn.nmed mdder, and stated that this is proper because the aircraft is not unflv able. There were 
abundant changes to detect die out-of-trim condition through visual, tactile and proprioceptive 
means. There was also a miscommunication; the Captain said “got the steering,” advising the first 
officer to correct the airplane s track with right rudder. The first officer heard “I got the steering,” 
said “okay” and gradually relaxed his pressure on the right rudder pedal. It was thought that 
neither pilot was in full contro thereafter, this problem continued after the takeoff was rejected. 

"^ e Board noted that “both pilots were inexperienced in their respective positions the first 
officer was conducting h < first unsupe^vised line takeoff in a 737 and also his first takeoff after a 
39-oay non-flying period The Captain had 5525 hr total flying time, 2625 hr in the 737, but onlv 
c Capta,n in the 737400 - The first officer had 3287 hr total time, 8.2 hr in the 737- 
jOO/ 400. Several crew coordination problems and multiple errors by both pilots were commented 
upon by the Board. 
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